Collecting sensitive financial information and using it to process recurring – or even one-time – payments is a serious affair. Thankfully, for consumers and clients everywhere, there are ACH rules that regulate the debits and credits that move money from bank to bank via the ACH network. These ACH laws are codified on an annual basis by NACHA, and businesses using their network are responsible for knowing the rules and conducting due diligence on every transaction they process.

What is NACHA?

ACH stands for Automated Clearing House, which is an electronic network for sending credits and debits around the United States. NACHA, short for National Automated Clearing House Association, is the organization that oversees the ACH network. Contrary to what you might guess, NACHA is not a government organization. It’s a non-profit with a board of directors composed of a diverse range of individuals in the financial services industry.

Nacha Logo ACH

The Rules and Operations Committee, which creates the NACHA rules, represents big banks, regional banks, local banks, credit unions, the U.S. Treasury, the Federal Reserve Bank, and even end-users of the ACH network. Those end-users on the committee are not typically small businesses, but they are organizations that make frequent use of the ACH network, such as a payroll company or a university collecting tuition payments.

What does NACHA require?

NACHA rules and regulation

NACHA rules are periodically updated and created, but there are several basic principles that stay consistent. You can be sure that making these particular ACH rules a cornerstone of your payment processing and HR procedures will never go out of style.

As you might guess, a basic rule is that you need to properly store sensitive customer data, which includes bank account numbers and routing numbers. You might be surprised to learn that a savvy thief can also piece together other seemingly less serious pieces of information to commit a crime—even, for example, the agreed-upon payment date when the fee for a subscription service is taken from a customer’s bank account. You never know if a thief might succeed in taking this information and calling the customer’s local bank to ask about a charge on “their” bank statement. It’s up to you to make sure that customer info can’t become that foot in the door. Paper records of customer info must be stored in a safe location like a locked drawer inaccessible to employees. Digital records must be securely stored and encrypted.

Verifying customer identity

NACHA rules verify identity

It’s up to you to verify customer identity and banking information. In brick and mortar stores many merchants are lax about asking – for instance – to see a driver’s license in order to verify a credit card, but the risk for fraud is exponentially increased online. You must take the extra step to verify customers, perhaps by having them create an account so an email and/or phone number can be verified. A third-party payment processor (TPPP) can defuse a potentially awkward situation you may be hoping to avoid by creating a seamless way to verify customer identity. That way, you won’t have to sacrifice customer experience for security.

You need to have a process in place to handle fraudulent transactions, and that process should be committed to writing. If you are a small business owner, you don’t have to have something as complex as the fraud department of an international bank, but you are required to do what is commercially reasonable in terms of detecting potential fraud. Sometimes this just requires a little bit of common sense, although in some cases (especially online) common sense cannot beat a fraud detecting algorithm. The benefit of using a TPPP is that they will have robust fraud detection mechanisms in place, such as flagging suspicious or duplicate transactions.

There are also ACH best practices to consider, some of which are legally binding. You should verify account and routing numbers before submitting them, and collect customer approval for processing payments on an agreed-upon date. If you are collecting an ACH authorization on the phone, you can only do so if you have a preexisting relationship or if the customer initiated the call. ACH best practices are always changing, and it’s good to be familiar with the latest iteration of NACHA rules, even if you use the services of a TPPP.

Why do I need to comply with NACHA requirements?

Violating the NACHA rules is (generally speaking) not going to land you in white-collar prison. But it can create serious problems for your business and ruin its reputation. In some severe cases, NACHA can fine your business for up to half a million dollars every month until the issue is resolved. If problems continue, NACHA may even bar your business from using the ACH network, which would be rather inconvenient… especially if your business operates on recurring payments like subscriptions, memberships, tuition, or rent.

You may think that violating NACHA rules won’t go beyond NACHA. After all, is someone really going to troll your business on Yelp because a disgruntled employee broke into a filing cabinet and used customer information to pay their phone bill? You’d be surprised (or maybe not) that customers on the wrong end of an ACH transaction gone bad will let other people know what happened. They may also raise a (justified) stink if there isn’t mistake, fraud, or criminality behind an ACH charge, but the transaction itself is disputed. Protect your customers and your business by adhering to ACH dispute rules and the NACHA rules in general.


As mentioned, one of the biggest benefits of using a TPPP is that they handle much of the NACHA headache for you. Granted, it’s still good to be aware of the NACHA rules and any changes or updates made to them every year. But when you use a TPPP to process recurring (or one-time) payments, secure encrypted storage, identity verification, and fraud detection are all taken care of, in addition to the myriad other concerns promulgated by the NACHA Rules and Operations Committee.

With NACHA compliance off your plate, you can go back to running your business and all the other related areas that need your day-to-day attention. Of course, another benefit of using a TPPP is that they have the tech resources to seamlessly integrate the ACH process into your consumer-facing website. The other great benefit of using the ACH network is the cost. With the average ACH payment costing businesses $0.29 cents, NACHA beats Mastercard, Visa, and especially American Express in terms of cost per transaction. Using a TPPP allows you to take advantage of these benefits without having to deal with any backend concerns.

Check out what Rotessa can offer your business in terms of a TPPP with a seamless integration into your website and with your accounting software. Once you see what our free authorization tool can do for your payment processing, you’ll want to speak with one of our dedicated account managers to hear more about why 2,000 businesses in every industry are using Rotessa as their TPPP.

Share this content with a friend:

A better way to get paid

Withdraw money directly from your customer’s bank account when their payments are due. Schedule one-time or recurring payments to get paid on time.

Get Started