

Get a personalized demo of Stuut and see how it can help with AR automation.
If your company originates ACH payments, your team likely overlooks the compliance layer underneath every ACH transaction you process: the Nacha Operating Rules. A return rate that edges past the 0.5% threshold, an improperly stored authorization record, or a missed fraud monitoring deadline can trigger fines that compound monthly and, in severe cases, restrict your company's ability to originate ACH entries entirely.
This guide covers the rules that affect your AR work directly, stripped of banking jargon, and explains what the 2026 rule changes require you to do before June 22nd.
Nacha (the National Automated Clearing House Association) writes and enforces the Operating Rules for the ACH Network. In 2025, the ACH Network processed 35.2 billion payments valued at $93 trillion, marking the 13th consecutive year total ACH value increased by at least $1 trillion.
You face Nacha compliance obligations whenever a customer pays via ACH debit, direct deposit, or same-day ACH transfer. That includes the routine B2B payments that flow into your ERP every day: vendor payments, trade account settlements, and recurring invoice debits. Every one of those transactions carries authorization requirements, validation obligations, and return rate responsibilities that fall on your company as the originator.
The rules that directly affect AR work fall into three categories: authorization, account validation, and return rate management. The table below maps each rule type to the party responsible and the practical obligation it creates for your team.
These obligations sit with you as the originator, meaning your ODFI holds you contractually accountable for compliance failures.
You need to understand where your company sits in the ACH Network because it determines which compliance obligations you carry. Per Nacha's ACH developer guide, every ACH transaction involves four parties:
As a direct originator or third-party sender, your ODFI holds you contractually accountable for return rate thresholds and authorization compliance. As Stripe's NACHA explainer notes, your bank can suspend ACH origination access if violations go unresolved, which makes this a business-critical risk, not just a banking formality.
You must secure proper authorization before initiating any debit against a customer's bank account. NACHA requires documented evidence that the customer consented to that specific transaction or recurring series of transactions, and missing that proof puts you in violation.
Nacha defines authorization requirements based on how the customer consents and the type of transaction. The most common authorization types for AR teams are:
You must retain proof of authorization records for the two-year retention requirement following the date of the last transaction, covering written agreements, recorded calls, and digital consent logs. For AR teams managing hundreds of customer accounts, that documentation burden compounds quickly. It requires a system that stores records automatically, not a shared drive that depends on individual collectors remembering to save files.
You protect your company and your customers when you validate account numbers before processing payments. When payment data is inaccurate or has been altered through fraud, entries return as unauthorized debits and push your return rate toward NACHA's enforcement thresholds.
You must validate a customer's account number before its first use and before any change to that account number under Nacha's Account Validation Rule for WEB debits. Nacha is specific: Account validation is a required component of "a commercially reasonable fraudulent transaction detection system" for WEB debit entries, with enforcement consequences for non-compliance. The Nacha Account Validation Resource Center provides detailed implementation guidance for businesses working through the requirement.
Your practical obligation as an AR analyst is to confirm that any account number you receive from a customer is open and capable of accepting ACH entries before you initiate the first debit. Unvalidated account changes can drive administrative returns (the 3% return rate category) and create fraud exposure if a bad actor submits falsified account details. Staying current on WEB debit validation preparation is essential as enforcement tightens.
Nacha's Account Validation Resource Center provides examples of accepted validation methods, including:
Stuut's cash application module achieves a 95%+ automated match rate by parsing remittance data from bank accounts and lockboxes automatically and posting entries to the AR subledger in real time. The system flags payments it cannot match with confidence and routes them to you for review, so your team handles exceptions rather than processing every transaction by hand.
You need to monitor your return rates closely because Nacha tracks them to ensure originators aren't debiting accounts without proper consent or with inaccurate banking data. Both conditions damage the integrity of the ACH Network and trigger escalating consequences for your company.
Per Nacha return rate thresholds, two separate caps govern your origination activity:
Nacha also sets an overall debit return rate guideline of 15% or below, excluding RCK (re-presented check) entries. RCK entries are ACH debits created from checks that have been returned for insufficient or uncollected funds, and they're excluded because they represent a different risk profile than original ACH authorizations. The unauthorized 0.5% cap is the one most likely to trigger formal enforcement because those specific return codes indicate the account holder claims they never authorized the transaction.
Nacha noncompliance penalties escalate through a formal warning and fine system. Early violations generate formal warnings, and repeated or unresolved violations result in fines of up to $500,000, and continuing monthly for unresolved violations. In the most serious cases, Nacha can suspend your company's ability to originate ACH entries entirely, which eliminates the digital payment channel most B2B customers prefer. Enforcement flows through Nacha's National System of Fines, administered by your ODFI.
Same Day ACH settles transactions within the same business day, which reduces DSO for AR teams that can route qualifying payments through this channel. For a broader look at how faster settlement connects to cash flow improvement, see our DSO improvement checklist.
The current Same Day ACH limit is $1 million per transaction. Nacha's membership has already approved a future increase, and the limit rises to $10 million on September 17, 2027. For most mid-market B2B invoice payments, the current $1 million cap covers the vast majority of transactions your team processes today.
To qualify for Same Day ACH, transactions must fall below the per-transaction dollar limit and you must submit them to your ODFI within one of the three designated processing windows during the business day: 10:30 AM ET, 2:45 PM ET, and 4:45 PM ET. International ACH transactions (IAT entries) are not eligible. For B2B AR, CCD entries (Corporate Credit or Debit) are the standard code for business-to-business debits and credits and qualify for Same Day ACH processing when submitted on time and within the dollar threshold.
The 2026 rule changes represent the most significant update to Nacha's fraud framework in recent years, and the compliance burden falls on originators including your AR team's payment operations.
Nacha's fraud monitoring rule amendments, effective June 22, 2026, require all non-consumer originators to implement risk-based fraud monitoring processes regardless of transaction volume. You can no longer rely entirely on your ODFI to catch fraud upstream. You need documented internal processes for flagging suspicious payment activity before you submit entries, covering your role in authorizing or transmitting ACH entries that may be "suspected of being unauthorized or authorized under False Pretenses," as Nacha's language states.
Use these six steps to prepare:
Nacha clarified that June 19, 2026 is a federal holiday, so the practical compliance date is the next banking day, Monday, June 22, 2026.
You can integrate Nacha requirements into the systems your team uses daily rather than managing them as a separate checklist. The goal is building compliance into your workflow, not adding manual overhead to an already full day.
The two most common compliance failures for AR teams are return rate accumulation and authorization documentation gaps. Return rate accumulation happens when stale or unverified customer banking data drives up administrative returns without anyone noticing until the ODFI sends a warning. Authorization gaps occur when customers update their banking details informally and those changes enter the ERP without re-validation, creating entries with no defensible consent record. Both problems are invisible until they become enforcement issues, and teams that rely on manual collections processes face heightened exposure because informal communication creates undocumented authorization chains.
When you work the aging report each morning, look for standard SEC entry class codes in your ERP or bank transaction feed to identify NACHA-covered ACH transfers:
Any entry in these categories carries authorization, validation, and return rate requirements. If your ERP doesn't surface these codes directly, your ODFI's reporting portal typically breaks them out by entry class.
Nacha enforces rules through the National System of Fines, a formal warning-and-fine structure where ODFIs report violations and escalate them through Nacha's compliance review process. Day-to-day enforcement sits with your ODFI, which monitors your return rates and can issue warnings or suspend origination access when thresholds are breached.
Stuut handles routine matching and posts updates to your ERP in real time, flagging only the transactions that require your judgment rather than routing every payment through manual review. For AR teams at manufacturing and distribution companies already stretched across hundreds of accounts, that shift from processing everything to reviewing exceptions is where the time savings become material.
Stuut connects to your existing ERP via API in 3 to 4 days without modifying your chart of accounts or existing payment processing, and the cash application module posts entries to your ERP in real time.
If you want to see how Stuut handles ACH matching and exception management against your actual account portfolio, book a demo with the team.
The unauthorized return rate threshold is 0.5% of total debit entries originated, covering returns with codes R05 (unauthorized debit), R07 (authorization revoked), R10 (originator not known / not authorized by receiver), R11 (entry not in accordance with the terms of the authorization), R29 (corporate customer advises not authorized), and R51 (RCK entry ineligible or improper). Exceeding this threshold puts your company in Nacha's formal enforcement process, which begins with warnings and can escalate to fines of up to $500,000, and continuing monthly for unresolved violations.
You must keep your administrative return rate below 3% of total debit entries originated, covering returns caused by closed accounts, incorrect account numbers, or invalid routing information. Nacha also sets a 15% overall debit return rate guideline, excluding RCK entries.
Phase 1 went into effect March 20, 2026, covering high-volume originators. Phase 2 takes effect June 22, 2026 and covers all non-consumer originators regardless of transaction volume.
You can process up to $1 million per Same Day ACH transaction under the current limit. NACHA has approved an increase to $10 million, effective September 17, 2027.
The 2026 Nacha Operating Rules online resource costs $75 for Nacha members and $110 for non-members, with access running through December of the subscription year.
Nacha accepts four methods: prenotification entries, micro-deposit verification, third-party validation services, and API-based account verification. You must validate account numbers before first use and before any account number change.
Nacha requires you to retain proof of authorization records for two years following the date of the last transaction, covering written, voice, and digital consent formats.
ACH (Automated Clearing House): The electronic payment network that processes batch transactions, including direct deposits and B2B invoice payments, governed by Nacha Operating Rules.
ODFI (Originating Depository Financial Institution): Your company's bank, which submits ACH entries to the ACH Operator and holds you contractually accountable for return rate compliance and authorization requirements.
RDFI (Receiving Depository Financial Institution): Your customer's bank, which receives ACH entries and posts them to the customer's account.
SEC code (Standard Entry Class code): A three-letter code identifying the type of ACH transaction, such as CCD (business-to-business), WEB (online-authorized), or TEL (telephone-authorized).
Unauthorized return rate: The percentage of debit entries returned because account holders claim they did not authorize the transaction, capped at 0.5% of total entries originated.
Administrative return rate: The percentage of debit entries returned due to incorrect or stale account information such as closed accounts or invalid routing numbers, capped at 3% by NACHA guidelines.
Cash application: Matching incoming customer payments to open invoices in the AR subledger and posting the entries to the ERP in real time.
WEB debit entry: An ACH debit transaction authorized by a customer through an internet portal or wireless network, subject to NACHA's Account Validation Rule requiring account number verification before first use.
Prenotification (prenote): A zero-dollar ACH entry sent to the RDFI before initiating live transactions, used to confirm that an account is open and can accept entries.
CCD (Corporate Credit or Debit): The standard SEC code for business-to-business ACH transactions, covering most trade account payments and vendor debits in AR workflows.
