Hear Stuut chase cash! The agent doing $200M / mo in AI collections wants to chat.

Give Stuut a Ring

ACH return codes explained (R01, R02, R03 and what to do about them)

Ben Winter
CPO
Table of contents

See Stuut in action

Get a personalized demo of Stuut and see how it can help with AR automation.

Get started

TL;DR: When an ACH payment fails, your customer's bank sends your bank a standardized return code explaining why. The most common are R01 (insufficient funds), R02 (account closed), and R03 (no account found). Each code requires a different response: R01 allows up to two retries within 180 days, R02 requires a new payment method immediately, and R03 and R04 require verified account data before reprocessing. NACHA caps unauthorized returns (R05, R07, R10, R11, R29, and R51) at 0.5% and administrative returns at 3% on a rolling 60-day basis. Stuut is designed to help log ACH exceptions, contact customers for updated details, and update your ERP.

The biggest operational cost of an ACH return often isn't the bank return fee. It's typically the hours your collections team spends chasing customers for updated bank details, re-logging the exception in the ERP, and figuring out why the payment failed. NACHA's ACH network processes billions of payments annually, and even a small failure rate creates real operational overhead for AR teams at manufacturing and distribution companies.

When an ACH return hits, your cash flow stalls and your team shifts into manual research mode at exactly the wrong time. If you understand the specific NACHA return codes and build a standardized response for each one, you resolve failures faster and prevent them from recurring rather than treating every return as a one-off investigation.

What ACH return codes signal to your AR team

When your ACH debit fails, your customer's bank (the RDFI, or Receiving Depository Financial Institution) sends a return entry to your bank (the ODFI, or Originating Depository Financial Institution) with a standardized code explaining the reason. That code determines what you do next. According to Modern Treasury's ACH return reference, there are 85 distinct ACH return codes ranging from R01 to R85, though most AR teams encounter fewer than 10 in everyday B2B collections.

A returned payment means an invoice that was supposed to close is now open again, your DSO climbs, and someone needs to act fast. The code tells you exactly which action to take, whether that's retrying the payment, collecting new bank details, or pulling your authorization records.

Key steps in ACH returns

The ACH payment process follows a four-step sequence, with returns triggered as a separate exception process after settlement:

  1. Origination: Your bank (ODFI) batches ACH entries and prepares them for submission.
  2. Validation: The ODFI checks the transaction for proper formatting and authorization.
  3. Routing: The ACH Operator receives files from ODFIs, sorts transactions by destination, and routes entries to your customer's bank (RDFI).
  4. Settlement: Funds move between banks at the settlement date.
  5. Return: If the transaction fails, the RDFI issues a return entry with the applicable R-code, typically within two banking days of settlement.

What causes ACH payment returns?

ACH returns typically fall into three categories:

  • Account issues: Closed accounts (R02), invalid account numbers (R04), or accounts that can't be located (R03)
  • Funding failures: Insufficient funds (R01), the most frequent return code in B2B collections
  • Authorization disputes: Customer disputes that the debit was authorized (R05, R10, R29), which carry the most serious compliance risk

ACH return code deadlines

According to NACHA's operating rules, the standard window for an RDFI to return a commercial transaction is two banking days from the settlement date for codes like R01, R02, R03, and R04. Unauthorized transaction codes (R05, R07, R10) allow up to 60 calendar days for consumer accounts, creating a longer exposure window for your AR team. Modern Treasury's prenote guide notes that proactive verification before processing is the most reliable way to avoid this two-day scramble entirely.

Decoding common ACH return codes (R01, R02)

This table maps every common return code to its exact required response. Use it as your quick-reference lookup when a return hits your aging report:

Code Description Common cause Actionable steps
R01 Insufficient funds Account balance too low at settlement Retry after 3 to 5 business days, max 2 retries within 180 days
R02 Account closed Customer closed the bank account Do not retry - collect new payment method immediately
R03 No account/unable to locate Account number valid but no match to customer name Contact customer to verify account and routing numbers
R04 Invalid account number Account number structurally wrong (wrong digit count) Correct account number in ERP before reprocessing
R05 Unauthorized consumer debit using corporate SEC code Consumer account debited using a corporate SEC code (such as CCD) instead of a consumer SEC code (such as PPD) Pull authorization records immediately - do not retry
R07 Authorization revoked by customer Customer previously authorized the debit but has since formally revoked that authorization by notifying their bank in writing Do not retry - pull authorization records, document the revocation, and contact the customer to reinstate authorization or arrange an alternative payment method
R10 Customer advises not authorized Customer tells bank originator is unknown or unauthorized Review authorization documentation and contact customer
R29 Corporate customer advises not authorized Corporate account holder tells bank originator is not authorized Contact customer and confirm authorization before resubmitting

R01 insufficient funds: AR action plan

R01 means the customer's account didn't have enough funds to cover the debit at settlement time. It's the most common return code in B2B AR and usually not a sign of a serious problem, but it requires a prompt response. Wait three to five business days before retrying to give the customer time to fund their account.

R02 handling closed ACH accounts

R02 is non-retriable. The account is gone and no retry will succeed. Your only path forward is getting a new payment method from the customer as quickly as possible. Contact them by phone or email, explain that the ACH debit returned due to a closed account, and route them to a secure payment portal to update their bank details before the invoice ages further. Update your ERP record as soon as you receive the new information to prevent future returns on the same account.

R03 verify customer account details

R03 means the account number looks structurally valid but doesn't match any active account associated with the customer's name at that institution. This often happens after a customer changes banks and provides partial or inaccurate details during onboarding. Contact the customer to get their current routing number, account number, and account type, confirm those details in writing before reprocessing, and update your ERP record to prevent the same return on the next payment cycle.

R04 how to resolve invalid accounts

R04 differs from R03 in a specific way: The account number itself is structurally incorrect, typically containing the wrong number of digits or a formatting error, rather than failing to match a name. This is almost always a data entry error during customer onboarding. Correct the account number in your ERP before submitting a new transaction and add a bank account verification step to your customer setup process to catch these errors before they generate a return.

R05 managing unauthorized consumer debits

R05 signals that a consumer account was debited using a corporate SEC code (such as CCD or CTX) instead of the required consumer SEC code (such as PPD). This is a compliance-sensitive code and you should not retry the transaction under any circumstances. Pull your signed authorization agreement immediately and confirm that the account type and SEC code classification are correct. Before submitting any future transaction to this account, correct the SEC code in your payment processing system to use the appropriate consumer code (PPD for consumer ACH debits) rather than the corporate code that triggered the return.

R07 when a customer revokes authorization

R07 means the customer previously gave you valid authorization to debit their account but has since revoked it in writing with their bank. Unlike R10, this isn't a dispute about whether authorization ever existed. The customer is telling their bank to stop future debits.

Do not retry the transaction. Pull the original signed authorization agreement and contact the customer directly to understand why the authorization was revoked, whether that's a billing dispute, a bank switch, or a change in payment preference. Resolve the underlying issue before requesting a new authorization, because resubmitting without confirmed consent risks an R10 or R29 on the next attempt.

R10 when a customer denies authorization

R10 means the customer has told their bank they don't recognize the originator or haven't authorized the debit. Pull your authorization documentation before taking any other action and, if your records show a valid signed agreement, work with your payment processor to challenge the return through the proper dispute channel. NACHA's network risk enforcement rules hold originators responsible for maintaining proof of authorization for every debit entry, so the quality of your records determines whether you win or lose an R10 challenge.

R29 unauthorized corporate account debit

R29 applies when a corporate account holder notifies their bank that your company isn't authorized to debit their account. Contact the customer, confirm they owe the invoice, and work with them to confirm the correct authorization is in place before resubmitting. This is typically a process failure rather than a genuine dispute about the underlying invoice, and it's usually resolved once the customer's bank has the proper authorization documentation on file.

Resolve each ACH failure: Step guide

Knowing what each code means is half the job. The real question is how fast your team acts and how consistently you apply the right response for each code. AR teams often handle returns reactively, which can mean invoices sit in limbo while someone works out the next step.

Stuut is designed to help log ACH exceptions, contact customers for updated payment details, and update your ERP. Your AR team reviews flagged exceptions on the dashboard and handles only the cases requiring human judgment, like authorization disputes or negotiated payment plans, while Stuut manages routine follow-up.

R01 retry timing and contact strategy

Wait three to five business days before retrying R01. If you retry too early, the account may still have insufficient funds and you'll burn one of your two allowed attempts. Stuut is designed to help contact the customer after an R01 is logged, prompting them to confirm the account is funded or update their payment method before the retry runs, so invoices don't sit unresolved between the return date and the retry window.

R02 update customer payment method

For R02, the priority is securing a new payment method before the invoice ages further. Route the customer to a secure digital payment link where they can submit new ACH details or pay by credit card right away. Stuut's digital payment rails, built on Stripe, generate a payment link during the automated follow-up conversation so the invoice closes without your team manually re-entering payment information in the ERP.

R03/R04 prevent future returns

For R03 and R04, the fix is in the data. Correct the account details in your ERP before reprocessing and add a verification checkpoint to your new customer onboarding workflow so future accounts are confirmed before the first live transaction runs. Stuut's cash application layer self-learns account metadata, including bank account identifiers and remittance parsing patterns, so once a corrected account is confirmed, Stuut matches future payments from that source automatically and reduces the likelihood of the same error recurring.

R05, R07, R10, R29 secure authorization proof

For all four unauthorized debit codes, your documentation is your defense. Store signed ACH authorization agreements in a central location accessible to your entire AR team, not in a personal spreadsheet or email folder. Every authorization should include the company name, account details, and explicit consent language covering the debit amount and frequency. For R07 specifically, also document when and how the customer revoked authorization, because that timeline is relevant if a dispute escalates. Stuut captures the full chain of customer communication for each account interaction, creating a retrievable audit trail your team can pull when an unauthorized return requires a formal dispute response weeks after the original payment date.

Setting expectations for ACH return rates

A high return rate signals to NACHA that your payment origination process has problems, whether data quality issues, weak authorization practices, or insufficient account verification at onboarding. Understanding the benchmarks keeps you out of compliance trouble before it escalates to a formal inquiry.

Sector-specific ACH return benchmarks

Publicly available benchmark data specific to manufacturing and distribution is limited, but the underlying drivers are consistent across industrial B2B sectors: account data quality and authorization documentation. Companies managing high transaction volumes across a large customer base face greater exposure to R03 and R04 returns, particularly when customer banking details are collected manually during onboarding and never re-verified. Regular customer contact can help surface stale bank details earlier, before they cause a return rather than after. The DSO improvement checklist covers how systematic account contact reduces these data quality gaps over time.

Preventing NACHA penalties for ACH returns

You need to track three NACHA return rate thresholds on a rolling 60-day basis, detailed in the ACH network risk and enforcement rules:

  • Administrative returns (R02, R03, R04): Must stay below 3%
  • Overall return rate (all R codes): Must stay below 15%
  • Unauthorized returns (R05, R07, R10, R11, R29, R51): Must stay below 0.5%

Exceeding the 3% administrative threshold triggers a formal NACHA review that can result in required remediation, penalties, or suspension from ACH origination. The 0.5% unauthorized threshold is the most consequential because even a small number of R10 or R29 returns can push a high-volume originator over the line. Every unauthorized return that reaches a NACHA review represents a documentation or authorization failure that your team should have caught upstream.

Book a demo with the team to see how Stuut handles ACH exceptions and payment matching autonomously, including how the exception dashboard flags return codes and queues customer follow-up without manual intervention.

FAQs

What is the NACHA threshold for unauthorized ACH returns?

NACHA enforces a 0.5% threshold for unauthorized returns (codes R05, R07, R10, R11, R29, and R51) on a rolling 60-day basis. Exceeding this limit triggers a NACHA inquiry and can result in fines or suspension from ACH origination.

How many times can you retry an R01 ACH return?

You can retry an R01 (insufficient funds) return a maximum of two additional times within 180 days of the original effective date. Each retry must be submitted as a new transaction entry, not a re-presentment.

Who pays the fee for an ACH return?

The ODFI charges the merchant a return fee per returned item, and the exact amount varies by financial institution. Merchants can pass this fee to the customer only if explicitly stated in the signed payment authorization agreement.

What is the difference between R03 and R04?

R03 means the account number appears valid but cannot be matched to the customer's name or located at the receiving institution. R04 means the account number itself is structurally incorrect, typically because it contains the wrong number of digits or a formatting error.

Can you retry an R02 ACH return?

No. R02 (account closed) cannot be retried because the account no longer exists. You must collect a new payment method from the customer before processing a replacement transaction.

What triggers an R29 return code?

R29 occurs when a corporate account holder notifies their bank that your company is not authorized to debit their account. Resolving it requires confirming proper authorization is in place before you resubmit the payment.

Key terms glossary

ODFI (Originating Depository Financial Institution): The bank that initiates the ACH transaction on behalf of the business collecting the payment. The ODFI is responsible for ensuring proper authorization and compliance with NACHA rules before submitting entries.

RDFI (Receiving Depository Financial Institution): The customer's bank that receives the ACH debit request and issues a return code if the payment cannot be processed. The RDFI has two banking days to return most commercial transactions after the settlement date.

Prenote: A zero-dollar test transaction sent through the ACH network to verify a customer's bank account details before processing a live payment. Prenote verification takes approximately three days and is most effective when built into a new customer onboarding workflow.

NACHA: The governing body that manages the development, administration, and rules of the ACH Network. NACHA sets return rate thresholds for all originators and enforces compliance through its member financial institutions.

Cash application: The process of matching incoming payments to the correct open invoices in the AR subledger. Automated cash application reduces the manual reconciliation time between payment receipt and ERP posting.

DSO (Days Sales Outstanding): A measure of how long, on average, it takes a company to collect payment after a sale. Resolving ACH returns faster reduces DSO by closing invoices that would otherwise sit open in the 31 to 60 or 61 to 90 aging buckets.

Aging report: A report showing all outstanding invoices grouped by how long they've been overdue (0 to 30, 31 to 60, 61 to 90, and 90+ days). AR teams use the aging report to prioritize collection activity daily and identify which accounts have unresolved ACH returns.

Ben Winter

CPO

Ben brings over a decade of go-to-market and operations expertise to building AR automation that actually works. He was VP Marketing at Fairmarkit (where he met Tarek) and GTM executive at Waldo before co-founding Stuut. He focuses on operations, product, and marketing—ensuring the platform integrates seamlessly with existing ERP systems and delivers results in days rather than months.

Frequently asked questions  about DSO

Is a higher or lower DSO better?
Lower is better because it means cash reaches your account faster. A DSO of 35 days is better than 55 days if your payment terms are the same.
Does DSO include current AR?
Yes. DSO reflects the total dollar amount you're owed from outstanding invoices, including invoices that aren't yet due.
How does bad debt affect DSO?
Writing off bad debt reduces your AR balance, which artificially lowers DSO even though no cash was collected. Ensure your AR figure is net of bad debt reserves for accurate measurement.
Should I calculate DSO monthly or annually?
Both. Annual DSO tracks long-term trends, while monthly DSO helps you spot process problems quickly and take corrective action before they compound.
What's the difference between DSO and CEI?
DSO measures collection speed in days. CEI measures collection quality as a percentage. A company can have low DSO but poor CEI if they're writing off accounts aggressively.
Can I reduce DSO without upsetting customers?
Yes. Proactive communication before due dates, helpful reminders, and fast dispute resolution improve customer experience while accelerating payment.

Related posts

Setup time to learn more