Hear Stuut chase cash! The agent doing $200M / mo in AI collections wants to chat.

Give Stuut a Ring

Nacha rules: What every AR team needs to know

Ben Winter
CPO
Table of contents

See Stuut in action

Get a personalized demo of Stuut and see how it can help with AR automation.

Get started

TL;DR: You must follow Nacha Operating Rules for every ACH transaction your company processes. Compliance means securing proper authorization before initiating debits, validating customer account numbers before first use, and keeping unauthorized return rates below 0.5%. Nacha's fraud monitoring rule amendments, effective June 22, 2026, require all non-consumer originators to implement risk-based fraud monitoring processes. Autonomous AR platforms handle the matching, validation, and monitoring tasks these rules create, freeing your team to focus on disputes and strategic accounts rather than manual data entry.

If your company originates ACH payments, your team likely overlooks the compliance layer underneath every ACH transaction you process: the Nacha Operating Rules. A return rate that edges past the 0.5% threshold, an improperly stored authorization record, or a missed fraud monitoring deadline can trigger fines that compound monthly and, in severe cases, restrict your company's ability to originate ACH entries entirely.

This guide covers the rules that affect your AR work directly, stripped of banking jargon, and explains what the 2026 rule changes require you to do before June 22nd.

How do Nacha rules impact your AR team?

Nacha (the National Automated Clearing House Association) writes and enforces the Operating Rules for the ACH Network. In 2025, the ACH Network processed 35.2 billion payments valued at $93 trillion, marking the 13th consecutive year total ACH value increased by at least $1 trillion.

You face Nacha compliance obligations whenever a customer pays via ACH debit, direct deposit, or same-day ACH transfer. That includes the routine B2B payments that flow into your ERP every day: vendor payments, trade account settlements, and recurring invoice debits. Every one of those transactions carries authorization requirements, validation obligations, and return rate responsibilities that fall on your company as the originator.

Which Nacha rules apply to AR?

The rules that directly affect AR work fall into three categories: authorization, account validation, and return rate management. The table below maps each rule type to the party responsible and the practical obligation it creates for your team.

Rule type Applies to AR team obligation
Authorization (CCD, WEB, TEL) Originators Secure and store written, voice, or online consent before initiating debits
Account Validation Rule Originators of WEB debit entries Validate account numbers before first use and after any changes
Unauthorized return rate (0.5% cap) Originators Monitor returns coded R05, R07, R10, R11, R29, R51 (unauthorized debit, authorization revoked, originator not known / not authorized by receiver, entry not in accordance with the terms of the authorization, corporate customer advises not authorized, RCK entry ineligible or improper)
Administrative return rate (3% cap) Originators Keep returns from bad account info below 3%
Same Day ACH eligibility Originators and ODFIs Confirm transactions are under $1 million and submitted within processing windows
2026 Fraud Monitoring Rule All non-consumer Originators (June 22, 2026) Implement risk-based processes to flag suspected unauthorized entries

These obligations sit with you as the originator, meaning your ODFI holds you contractually accountable for compliance failures.

AR's obligation to Nacha rules

You need to understand where your company sits in the ACH Network because it determines which compliance obligations you carry. Per Nacha's ACH developer guide, every ACH transaction involves four parties:

  • Originator: Your company, when you initiate the ACH entry to collect a customer payment
  • ODFI (Originating Depository Financial Institution): Your bank, which forwards entries to the ACH Operator and binds you to NACHA rules through your origination agreement
  • ACH Operator: The Federal Reserve or The Clearing House, which routes transactions between banks
  • RDFI (Receiving Depository Financial Institution): Your customer's bank, which posts the payment to their account

As a direct originator or third-party sender, your ODFI holds you contractually accountable for return rate thresholds and authorization compliance. As Stripe's NACHA explainer notes, your bank can suspend ACH origination access if violations go unresolved, which makes this a business-critical risk, not just a banking formality.

Authorization requirements for ACH payments

You must secure proper authorization before initiating any debit against a customer's bank account. NACHA requires documented evidence that the customer consented to that specific transaction or recurring series of transactions, and missing that proof puts you in violation.

How to secure proper ACH authorization

Nacha defines authorization requirements based on how the customer consents and the type of transaction. The most common authorization types for AR teams are:

  1. Written authorization (CCD entries): For business-to-business ACH debits, your payment intake forms or onboarding agreements must explicitly state the debit terms. The authorization should clearly identify itself as an ACH debit authorization with understandable terms that the customer has signed or similarly authenticated.
  2. Voice authorization (TEL entries): For telephone-authorized debits, you must clearly state during the call that the customer is authorizing an ACH debit, express the terms in plain language, receive unambiguous verbal consent, and retain the recorded call as proof of authorization. Stuut's voice agent handles collections conversations, confirms payment timing with customers, and logs every interaction to your communication history and audit trail, but calls involving TEL debit authorization, complex disputes, or payment plan negotiations still need a member of your team to handle directly.
  3. Online authorization (WEB entries): For ACH transactions authorized over the internet or a wireless network, Nacha's WEB authorization guidance requires stronger authentication protocols because of the higher fraud risk in digital channels. Multifactor authentication is the industry standard method for confirming customer identity before processing a debit through an online portal.

Recording and storing ACH authorizations

You must retain proof of authorization records for the two-year retention requirement following the date of the last transaction, covering written agreements, recorded calls, and digital consent logs. For AR teams managing hundreds of customer accounts, that documentation burden compounds quickly. It requires a system that stores records automatically, not a shared drive that depends on individual collectors remembering to save files.

Protect payments: Prevent fraud and errors

You protect your company and your customers when you validate account numbers before processing payments. When payment data is inaccurate or has been altered through fraud, entries return as unauthorized debits and push your return rate toward NACHA's enforcement thresholds.

Nacha validation rule mandates

You must validate a customer's account number before its first use and before any change to that account number under Nacha's Account Validation Rule for WEB debits. Nacha is specific: Account validation is a required component of "a commercially reasonable fraudulent transaction detection system" for WEB debit entries, with enforcement consequences for non-compliance. The Nacha Account Validation Resource Center provides detailed implementation guidance for businesses working through the requirement.

Your practical obligation as an AR analyst is to confirm that any account number you receive from a customer is open and capable of accepting ACH entries before you initiate the first debit. Unvalidated account changes can drive administrative returns (the 3% return rate category) and create fraud exposure if a bad actor submits falsified account details. Staying current on WEB debit validation preparation is essential as enforcement tightens.

Compliant account validation steps

Nacha's Account Validation Resource Center provides examples of accepted validation methods, including:

  1. Prenotification entry: Send a zero-dollar prenote to the RDFI before live transactions. No response within the return window confirms the account is open and accessible.
  2. Micro-deposit verification: Deposit a small amount (typically a few cents) into the customer's account and ask them to confirm the exact figure before activating the payment method.
  3. Third-party validation service: Use a commercially available service that queries bank databases, validates routing numbers, or uses open banking APIs to confirm account status.
  4. API-based account verification: Use real-time API connectivity to confirm account details at the point of payment enrollment.

Stuut's cash application module achieves a 95%+ automated match rate by parsing remittance data from bank accounts and lockboxes automatically and posting entries to the AR subledger in real time. The system flags payments it cannot match with confidence and routes them to you for review, so your team handles exceptions rather than processing every transaction by hand.

Nacha rules for unauthorized returns

You need to monitor your return rates closely because Nacha tracks them to ensure originators aren't debiting accounts without proper consent or with inaccurate banking data. Both conditions damage the integrity of the ACH Network and trigger escalating consequences for your company.

Nacha return rate thresholds

Per Nacha return rate thresholds, two separate caps govern your origination activity:

Threshold type Rate cap Return codes covered
Unauthorized debit returns 0.5% of total entries originated R05 (unauthorized debit), R07 (authorization revoked), R10 (originator not known / not authorized by receiver), R11 (entry not in accordance with the terms of the authorization), R29 (corporate customer advises not authorized), R51 (RCK entry ineligible or improper)
Administrative returns 3% of total debit entries originated Closed accounts, incorrect account numbers, invalid routing

Nacha also sets an overall debit return rate guideline of 15% or below, excluding RCK (re-presented check) entries. RCK entries are ACH debits created from checks that have been returned for insufficient or uncollected funds, and they're excluded because they represent a different risk profile than original ACH authorizations. The unauthorized 0.5% cap is the one most likely to trigger formal enforcement because those specific return codes indicate the account holder claims they never authorized the transaction.

Penalties for exceeding Nacha limits

Nacha noncompliance penalties escalate through a formal warning and fine system. Early violations generate formal warnings, and repeated or unresolved violations result in fines of up to $500,000, and continuing monthly for unresolved violations. In the most serious cases, Nacha can suspend your company's ability to originate ACH entries entirely, which eliminates the digital payment channel most B2B customers prefer. Enforcement flows through Nacha's National System of Fines, administered by your ODFI.

Same Day ACH criteria for AR teams

Same Day ACH settles transactions within the same business day, which reduces DSO for AR teams that can route qualifying payments through this channel. For a broader look at how faster settlement connects to cash flow improvement, see our DSO improvement checklist.

Current Same Day ACH transaction limits

The current Same Day ACH limit is $1 million per transaction. Nacha's membership has already approved a future increase, and the limit rises to $10 million on September 17, 2027. For most mid-market B2B invoice payments, the current $1 million cap covers the vast majority of transactions your team processes today.

Nacha rules for eligible ACH payments

To qualify for Same Day ACH, transactions must fall below the per-transaction dollar limit and you must submit them to your ODFI within one of the three designated processing windows during the business day: 10:30 AM ET, 2:45 PM ET, and 4:45 PM ET. International ACH transactions (IAT entries) are not eligible. For B2B AR, CCD entries (Corporate Credit or Debit) are the standard code for business-to-business debits and credits and qualify for Same Day ACH processing when submitted on time and within the dollar threshold.

AR team's guide to 2026 Nacha Operating Rules changes

The 2026 rule changes represent the most significant update to Nacha's fraud framework in recent years, and the compliance burden falls on originators including your AR team's payment operations.

How 2026 Nacha rules affect AR

Nacha's fraud monitoring rule amendments, effective June 22, 2026, require all non-consumer originators to implement risk-based fraud monitoring processes regardless of transaction volume. You can no longer rely entirely on your ODFI to catch fraud upstream. You need documented internal processes for flagging suspicious payment activity before you submit entries, covering your role in authorizing or transmitting ACH entries that may be "suspected of being unauthorized or authorized under False Pretenses," as Nacha's language states.

AR team's 2026 Nacha compliance checklist

Use these six steps to prepare:

  1. Document your fraud monitoring processes: Write down the specific steps your team takes to identify suspicious ACH entries, including who reviews flagged transactions and what escalation path they follow.
  2. Validate account verification procedures: Confirm your WEB debit validation process is active and applied to all new and changed account numbers.
  3. Audit authorization storage: Verify that authorization records for the last two years are organized, accessible, and cover written, voice, and digital formats.
  4. Review return rate reports: Pull your unauthorized return rate (R05, R07, R10, R11, R29, R51) and administrative return rate from your ODFI's reporting portal. If either is trending toward the threshold, address the root cause now.
  5. Confirm origination volume scope: Determine whether Phase 1 (effective March 20, 2026) applies to your company if you originated over 6 million entries in 2023. Phase 2 (effective June 22, 2026) applies to all non-consumer originators regardless of volume, so most AR teams need to focus on the June 22 deadline.
  6. Review your cash application process: If manual matching is your primary method, identify where entry errors are generating administrative returns and pushing you toward the 3% threshold.

Key dates for 2026 Nacha rules

Date Requirement
March 20, 2026 Phase 1 Fraud Monitoring Rule effective (high-volume originators, ODFIs)
June 22, 2026 Phase 2 Fraud Monitoring Rule effective (all non-consumer originators)
September 18, 2026 Additional Nacha Operating Rules updates take effect
September 17, 2027 Same Day ACH limit increases from $1 million to $10 million

Nacha clarified that June 19, 2026 is a federal holiday, so the practical compliance date is the next banking day, Monday, June 22, 2026.

Nacha compliance made simple for AR teams

You can integrate Nacha requirements into the systems your team uses daily rather than managing them as a separate checklist. The goal is building compliance into your workflow, not adding manual overhead to an already full day.

Nacha violation risks for AR teams

The two most common compliance failures for AR teams are return rate accumulation and authorization documentation gaps. Return rate accumulation happens when stale or unverified customer banking data drives up administrative returns without anyone noticing until the ODFI sends a warning. Authorization gaps occur when customers update their banking details informally and those changes enter the ERP without re-validation, creating entries with no defensible consent record. Both problems are invisible until they become enforcement issues, and teams that rely on manual collections processes face heightened exposure because informal communication creates undocumented authorization chains.

Identifying Nacha-covered ACH transfers

When you work the aging report each morning, look for standard SEC entry class codes in your ERP or bank transaction feed to identify NACHA-covered ACH transfers:

  • CCD entries: Business-to-business debits and credits, covering most trade account payments
  • WEB entries: Transactions authorized through an online portal or digital payment link (subject to the Account Validation Rule)
  • TEL entries: Transactions authorized by telephone (require recorded verbal consent)
  • PPD entries: Consumer-authorized recurring or one-time debits

Any entry in these categories carries authorization, validation, and return rate requirements. If your ERP doesn't surface these codes directly, your ODFI's reporting portal typically breaks them out by entry class.

Nacha rule enforcement bodies

Nacha enforces rules through the National System of Fines, a formal warning-and-fine structure where ODFIs report violations and escalate them through Nacha's compliance review process. Day-to-day enforcement sits with your ODFI, which monitors your return rates and can issue warnings or suspend origination access when thresholds are breached.

Stuut handles routine matching and posts updates to your ERP in real time, flagging only the transactions that require your judgment rather than routing every payment through manual review. For AR teams at manufacturing and distribution companies already stretched across hundreds of accounts, that shift from processing everything to reviewing exceptions is where the time savings become material.

Stuut connects to your existing ERP via API in 3 to 4 days without modifying your chart of accounts or existing payment processing, and the cash application module posts entries to your ERP in real time.

If you want to see how Stuut handles ACH matching and exception management against your actual account portfolio, book a demo with the team.

FAQs

What is the Nacha unauthorized return rate threshold?

The unauthorized return rate threshold is 0.5% of total debit entries originated, covering returns with codes R05 (unauthorized debit), R07 (authorization revoked), R10 (originator not known / not authorized by receiver), R11 (entry not in accordance with the terms of the authorization), R29 (corporate customer advises not authorized), and R51 (RCK entry ineligible or improper). Exceeding this threshold puts your company in Nacha's formal enforcement process, which begins with warnings and can escalate to fines of up to $500,000, and continuing monthly for unresolved violations.

What is the Nacha administrative return rate threshold?

You must keep your administrative return rate below 3% of total debit entries originated, covering returns caused by closed accounts, incorrect account numbers, or invalid routing information. Nacha also sets a 15% overall debit return rate guideline, excluding RCK entries.

When do the 2026 Nacha fraud monitoring rules take effect?

Phase 1 went into effect March 20, 2026, covering high-volume originators. Phase 2 takes effect June 22, 2026 and covers all non-consumer originators regardless of transaction volume.

What is the current Same Day ACH transaction limit?

You can process up to $1 million per Same Day ACH transaction under the current limit. NACHA has approved an increase to $10 million, effective September 17, 2027.

How much does the Nacha Operating Rules subscription cost?

The 2026 Nacha Operating Rules online resource costs $75 for Nacha members and $110 for non-members, with access running through December of the subscription year.

What validation methods does Nacha accept for WEB debit entries?

Nacha accepts four methods: prenotification entries, micro-deposit verification, third-party validation services, and API-based account verification. You must validate account numbers before first use and before any account number change.

How long must ACH authorization records be retained?

Nacha requires you to retain proof of authorization records for two years following the date of the last transaction, covering written, voice, and digital consent formats.

Key terms glossary

ACH (Automated Clearing House): The electronic payment network that processes batch transactions, including direct deposits and B2B invoice payments, governed by Nacha Operating Rules.

ODFI (Originating Depository Financial Institution): Your company's bank, which submits ACH entries to the ACH Operator and holds you contractually accountable for return rate compliance and authorization requirements.

RDFI (Receiving Depository Financial Institution): Your customer's bank, which receives ACH entries and posts them to the customer's account.

SEC code (Standard Entry Class code): A three-letter code identifying the type of ACH transaction, such as CCD (business-to-business), WEB (online-authorized), or TEL (telephone-authorized).

Unauthorized return rate: The percentage of debit entries returned because account holders claim they did not authorize the transaction, capped at 0.5% of total entries originated.

Administrative return rate: The percentage of debit entries returned due to incorrect or stale account information such as closed accounts or invalid routing numbers, capped at 3% by NACHA guidelines.

Cash application: Matching incoming customer payments to open invoices in the AR subledger and posting the entries to the ERP in real time.

WEB debit entry: An ACH debit transaction authorized by a customer through an internet portal or wireless network, subject to NACHA's Account Validation Rule requiring account number verification before first use.

Prenotification (prenote): A zero-dollar ACH entry sent to the RDFI before initiating live transactions, used to confirm that an account is open and can accept entries.

CCD (Corporate Credit or Debit): The standard SEC code for business-to-business ACH transactions, covering most trade account payments and vendor debits in AR workflows.

Ben Winter

CPO

Ben brings over a decade of go-to-market and operations expertise to building AR automation that actually works. He was VP Marketing at Fairmarkit (where he met Tarek) and GTM executive at Waldo before co-founding Stuut. He focuses on operations, product, and marketing—ensuring the platform integrates seamlessly with existing ERP systems and delivers results in days rather than months.

Frequently asked questions  about DSO

Is a higher or lower DSO better?
Lower is better because it means cash reaches your account faster. A DSO of 35 days is better than 55 days if your payment terms are the same.
Does DSO include current AR?
Yes. DSO reflects the total dollar amount you're owed from outstanding invoices, including invoices that aren't yet due.
How does bad debt affect DSO?
Writing off bad debt reduces your AR balance, which artificially lowers DSO even though no cash was collected. Ensure your AR figure is net of bad debt reserves for accurate measurement.
Should I calculate DSO monthly or annually?
Both. Annual DSO tracks long-term trends, while monthly DSO helps you spot process problems quickly and take corrective action before they compound.
What's the difference between DSO and CEI?
DSO measures collection speed in days. CEI measures collection quality as a percentage. A company can have low DSO but poor CEI if they're writing off accounts aggressively.
Can I reduce DSO without upsetting customers?
Yes. Proactive communication before due dates, helpful reminders, and fast dispute resolution improve customer experience while accelerating payment.

Related posts

Setup time to learn more