TL;DR: Proper authorization is the key to avoiding chargebacks. Follow Nacha rules for written, signed authorization with specific transaction details, maintain records for 2 years, and provide clear revocation methods.

Authorization requirements

Obtaining proper authorization for ACH transactions is the most important step you can take to protect against disputes, return fees, and reversed transactions. According to Nacha (the organization that oversees the Automated Clearing House network), there are only three reasons people can dispute ACH charges:
  1. Never authorized - The transaction was never authorized by the account holder or the authorization was revoked
  2. Wrong timing - The transaction was processed on a date earlier than authorized
  3. Wrong amount - The transaction is for an amount different than authorized
Disputing an ACH charge requires the account holder to provide written notice to the bank that one of these three conditions exists. This is significantly different from credit card transactions where customers can reverse charges by claiming dissatisfaction with products or services.

Required information to collect

You must collect and maintain the following information from customers for two years after the last payment: Your authorization page or consent checkbox must plainly state that you’re obtaining consent to debit the customer’s bank account. Include express language such as:
I authorize [your company] to electronically debit my account and, if necessary, electronically credit my account to correct erroneous debits.

Transaction specific details

  • Date and time of transaction
  • Debiting account information (bank name and last 4 digits minimum)
  • Item purchased
  • IP address and corresponding details (email/phone)
  • Payment frequency for recurring transactions

Client/account information

  • Name on account and shipping information
  • Identity verification controls
  • Any additional authentication measures

Transaction history

  • Prior transaction history (especially for recurring payments)
  • IP information and login details
  • Previous purchase records

Receipt of transaction

  • Prompt customers to print and retain authorization copies
  • Send email receipts for processed transactions
  • Maintain digital or paper copies

Process for revocation

Your authorization flow must provide customers with a clear method to revoke authorization. Include a telephone number and/or email address on both the authorization page and confirmation receipts.

SEC codes

An SEC code is a three-letter code that describes how a payment was authorized by the consumer or business.
SEC CodeDirectionRequirement
PPD (Corporate to Consumer)CreditsAuthorization required. Oral or non-written means (voided check) accepted
PPD (Corporate to Consumer)DebitsAuthorization required. Written, signed, or similarly authenticated
CCD (Corporate to Corporate)Debits/CreditsAgreement required for transfers between companies; written authorization implied
WEB (Corporate to Consumer)DebitsSimilarly authenticated authorization required due to Internet nature
WEB (Consumer to Consumer)CreditsNo authorization required
POS (Point-of-Sale)Debit/CreditWritten and signed or similarly authenticated
If you want to ensure compliance without becoming an ACH rules expert, focus on the practical examples and requirements outlined in this guide.

WEB debit entries (Internet transactions)

For Internet-initiated transactions (WEB entries), additional requirements apply. See also our guide on Internet vs Contract authorization.

Authorization requirements

  • Written authorization - Must be readable on screen or visual display
  • Similarly authenticated - Digital signatures, codes, shared secrets, PINs, or biometrics
  • Simultaneous authentication - Authorization and authentication should occur at the same time
Only the receiver may authorize WEB transactions - not third-party service providers on their behalf.

Authentication methods

The authentication method must:
  • Identify the receiver
  • Demonstrate the receiver’s consent to the authorization
  • Be sufficiently linked to the authorization process
Examples include:
  • Digital signatures
  • Secure codes or PINs
  • Shared secrets
  • Biometric verification

Record keeping

You must maintain:
  • Copy of the authorization language
  • Record of the authentication process
  • Transaction details including receiver information
  • Date/timestamp of login and authorization
Example: Provide a screenshot of authorization language plus date/timestamp of receiver login and authentication process that evidenced both identity and consent.

Standing authorizations

Standing authorizations allow consumers to authorize future debits that they initiate through subsequent actions.

Requirements

  • Advance authorization for one or more future entries
  • Clear specification of actions receivers can take to initiate payments
  • Receiver’s affirmative action required for each transaction

Examples of standing authorizations

  • Bill payment - Intermittent payments via phone, online, mobile app, or text
  • E-wallet services - Future debits for personal financial management
  • Virtual assistants - E-commerce payments via voice commands
  • Account transfers - Investment account funding based on activity

Record retention

Maintain for two years:
  • Original or copy of each standing authorization
  • Proof that receiver initiated each payment according to authorization terms

General authorization requirements (PPD entries)

For Prearranged Payment and Deposit entries:

Debit entries must

  • Be in writing
  • Be readily identifiable as ACH authorization
  • Have clear, understandable terms
  • Meet minimum authorization requirements
  • Be signed or similarly authenticated by consumer

Credit entries

Authorization may be obtained:
  • In writing
  • Orally
  • By other non-written means
You must provide receivers a copy of authorization for all debit entries and retain records for two years from termination or revocation.

Similarly authenticated standard

As an alternative to written signatures, consumers may authenticate authorizations through:

Telephone authentication

  • Minimum four-digit PIN codes
  • PIN printed on written authorization (for new relationships)
  • Audio recording of verbal codes
  • Record of VRU keystrokes

Best practices

  • Ensure PIN is in consumer’s possession during call
  • Be cautious with outbound calls to new customers
  • Comply with FTC Telemarketing Sales Rule
  • Make authorization language clear and conspicuous
Retain records of authentication codes, including audio recordings for verbal codes and keystroke records for VRU entries.

Notice requirements

Amount changes

If debit amount differs from previous entry or preauthorized amount:
  • Send written notification at least 10 calendar days prior
  • Include amount and scheduled debit date
  • No notice required if within agreed-upon range

Date changes

If scheduled debit date changes:
  • Send written notification at least 7 calendar days prior
  • Weekend/holiday variations don’t require notice

Compliance summary

Key compliance checklist:
  • Obtain proper written, signed authorization
  • Collect all required transaction details
  • Maintain records for 2 years minimum
  • Provide clear revocation process
  • Send required notices for changes
  • Use appropriate SEC codes
  • Implement proper authentication for Internet transactions
Following these authorization requirements protects against disputes, ensures Nacha compliance, and reduces the risk of returned transactions and associated fees.

ACH Authorization Language

This page provides sample authorization language for ACH debits and credits that can be incorporated into your terms of service.

Your Authorization for ACH Debits and Credits

By agreeing to these Terms, you authorize [[Business Name]] (“[[Company]]”) to electronically debit and credit your designated deposit account at your designated depository financial institution (your “Bank Account”) via ACH and, if ever applicable, to correct erroneous debits and credits via ACH for:
Choose and use only one of the following authorization types:
  • Single (one-time) entry for [[date and amount]]
  • Recurring entries (that recur at substantially regular intervals without my affirmative action to initiate future entries) [[interval and amount]]
  • Subsequent entries (initiated under the terms of my standing authorization) that require my affirmative action to initiate those future entries
You also acknowledge that the amount and frequency of the foregoing debits and credits may vary and that you waive your right to receive prior notice of the amount and date of each debit and credit.

Electronic Authorization Terms

You acknowledge that the electronic authorization contained in this ACH Authorization represents your written authorization for ACH transactions as provided herein and will remain in full force and effect until you notify [[Company]] that you wish to revoke this authorization by emailing [[support email address]].
You must notify [[Company]] at least 14 Business Days before the scheduled debit date of any ACH transaction from your Bank Account in order to cancel this authorization.
If we do not receive notice at least 14 Business Days before the scheduled debit date, we may attempt, in our sole discretion, to cancel the debit transaction. However, we assume no responsibility for our failure to do so.

Account Suspension Upon Authorization Withdrawal

If you withdraw your electronic authorization contained in this ACH Authorization, we will suspend or close your [[Company]] account, and you will no longer be able to use your [[Company]] account or the Services, except as otherwise expressly provided in our terms of service ([[link to terms of service]]).
Withdrawal of your electronic authorization contained in this ACH Authorization will not apply to transactions performed before the withdrawal of your authorization becomes effective.

Representations and Warranties

In addition to any of your other representations and warranties in this ACH Authorization, you represent that:
  1. Your browser is equipped with at least 128-bit security encryption
  2. You are capable of printing, storing, or otherwise saving a copy of this electronic authorization for your records
  3. The ACH transactions you hereby authorize comply with applicable law
Ensure all placeholder variables (marked with double brackets) are properly filled in before implementing this authorization language in your terms of service.

Web payment forms

For custom payment forms that directly integrate with the Straddle API, you must display the authorization terms on your payment page or have the buyer “click to consent” before confirming the payment. We recommend that you use the following consent text for your custom payment form or in the application/website user agreement. This text must include the customer’s name, bank account information, and the date.
By clicking [accept], you authorize Widgets Inc to debit the bank account specified above for any amount owed for charges arising from your use of Widgets Inc’ services and/or purchase of products from Widgets Inc, pursuant to Widgets Inc’ website and terms, until this authorization is revoked. You may amend or cancel this authorization at any time by providing notice to Widgets Inc with 30 (thirty) days notice.
Replace “Widgets Inc” with your actual company name in the authorization text.

Future payments

If you plan to use the customer’s bank account for future payments, also include this additional text:
If you use Widgets Inc’ services or purchase additional products periodically pursuant to Widgets Inc’ terms, you authorize Widgets Inc to debit your bank account periodically. Payments that fall outside of the regular debits authorized above will only be debited after your authorization is obtained.
Make sure the authorization text is clearly visible to customers before they complete their payment. Consider using checkboxes or prominent buttons to ensure explicit consent.
Regardless of the end-user experience, your application must capture customer consent in a reproducible fashion. This consent will be used to protect you from customer disputes.

Sending notification emails

You can send custom email notifications to customers to satisfy Nacha requirements. In the email, include the following information:
  • Authorization date
  • Amount
  • Account holder name
  • Financial institution
  • Routing number
  • Last four digits of the account number
The following is a sample auth confirmation email that you can send.

Payment Receipt

This document contains the details of a processed payment transaction.

Direct debit authorization confirmation

Thank you for signing up for direct debits from Widgets Inc. You have authorized Widgets Inc to debit the bank account specified above for any amount owed for charges arising from your use of Widgets Inc’s services and/or purchase of products from Widgets Inc, pursuant to Widgets Inc’s website and terms, until this authorization is revoked.

Modifying your authorization

You may amend or cancel this authorization at any time by providing notice to Widgets Inc with 30 (thirty) days notice.

Transaction Details

The following table shows the key information for this payment:
FieldDetails
Consent DateJune 28, 2021
Payment DateJune 16, 2023
Amount$50.00

Account Information

Account Holder

Name: Bob Loblaw

Financial Institution Details

  • Bank: Chase Bank
  • Routing Number: 021000021
  • Account Number: ****6789
Account numbers are partially masked for security purposes. Only the last four digits are displayed.
Keep this confirmation for your records. You can modify or cancel your direct debit authorization at any time with proper notice.

Important Notes

The consent date (June 28, 2021) precedes the actual payment date (June 16, 2023) by nearly two years. Ensure this timeline aligns with your payment authorization requirements.
Keep this receipt for your records. You may need it for tax purposes or account reconciliation.

CCD authorization requirements

As with all ACH transactions, the Originator of a CCD entry must receive the Receiver’s authorization to debit or credit the Receiver’s account.
The Nacha Operating Rules do not require the CCD/CTX authorization to be in a specific form. However, the rules require the Originator and Receiver to have an agreement that binds the Receiver to the Rules.

Trading partner agreements

This trading partner agreement should contain the authorization requirements and procedures as determined by the parties. The companies negotiate the terms based on their specific business needs and requirements.
Nacha isn’t very helpful with specifics here due to the varied nature of B2B (CCD) transactions.

Best practices recommendation

Our recommendation would be to follow best practices outlined in this guide while also including specific language to the following effect:
Include clear authorization language that complies with Nacha Operating Rules while addressing the specific requirements of your business relationship.

ACH Transaction Agreement

Both parties agree to be bound by Nacha Operating Rules as they pertain to all ACH transactions initiated by [YOUR COMPANY Full Entity Legal Name] that credit or debit the [YOUR CUSTOMER Full Entity Legal Name] bank account and acknowledge that the origination of ACH transactions to the listed account must comply with provisions of U.S. law.
Replace the placeholder text [YOUR COMPANY Full Entity Legal Name] and [YOUR CUSTOMER Full Entity Legal Name] with the actual legal entity names when implementing this clause.
This clause establishes legal binding obligations under Nacha Operating Rules and U.S. law for ACH transactions between the specified parties.

Key Components

  • Nacha Operating Rules compliance - Both parties must adhere to established ACH network rules
  • Transaction scope - Applies to all ACH credits and debits to the specified account
  • Legal compliance - Must comply with applicable U.S. legal provisions
  • Entity identification - Requires full legal entity names for both parties