An Introduction to ACH for Merchants and Developers
This is an Introduction/Tutorial for FinTechs/Merchant on how to handle ACH along with some introduction to key concepts/glossary.
Did you get paid this month?
Did you pay for a utility like your phone, rent, or mortgage without a check?
If you live in the US, chances are you used a payment system called ACH.
ACH (Automated Clearing House) is the primary payment method for paying taxes, employees, and suppliers.
Fintech and Crypto businesses can use ACH to
- Accept recurring payments (AKA “auto-pay”)
- Pay employees
- Pay suppliers (B2B payments)
- Fund Fintech wallets, buy NFTs or Crypto
- Pay taxes
- Move funds between accounts
In 2021, 29.1 bn in payments, valued at $72.6 trillion, were sent via ACH, growing 8.7% YoY, or 17.4% by dollar value. Consumers paid $13.9 trillion in bill payments, and person-to-person payments grew to $402bn, growing 25% YoY and by far the fastest-growing segment.
In this intro, we’re going to look at
- Why do companies choose ACH over cards?
- What is ACH?
- How does ACH work
- What you need to know about ACH
- ACH Fraud Patterns
- Unlocking ACH for your customers
1. Why do companies choose ACH over cards?
ACH has some key benefits:
- Wide acceptance: ACH is the most widely accepted domestic payment rail in the US (accepted by 11,000+ FIs)
- Affordable: ACH is often cheaper than cards
- High limits: ACH enables higher limits per transaction than cards
- High approvals: ACH often has higher approval rates than cards for high-risk payment types (e.g., Crypto or NFT purchases and wallet funding)
- Consumer friendly: ACH payments are often guaranteed by the banks, meaning customers are made whole in the event of fraud.
ACH is widely adopted: Other non-card payment (or messaging) systems (Zelle, RTP, etc.), have limited adoption by smaller banks. This is largely due to the technology needed to receive and acknowledge these messages. Where a larger bank has the resources and technology to settle a payment within 15 seconds a smaller bank may rely on 3rd parties or their own, older technology.
ACH is the most widely accepted network but its age and scale often mean it does not support the real-time experience consumers and builders prefer. Therefore an ACH payment still takes an average of two business days to settle and requires a lot of information to complete payment.
ACH can be affordable and offer higher limits and approvals: However, given the scale of the network, there is significant price competition, and an ACH payment typically costs a flat fee (e.g., $0.10) vs. cards which may cost 2.5% + $0.30. Unlike cards, the ACH network typically does not limit a transaction by its type or size (however, the underlying bank may).
Card networks carry data about a payment that allows banks to reject transactions or set limits for certain categories. This allows large banks to block transactions for payments to merchants like gaming, digital assets, and loading digital wallets. For merchants and legitimate customers, this can be a frustrating experience. If properly managed with ACH, such issues can be overcome.
Consumer-friendly: The rules of ACH (set by NACHA) require that banks prevent the risk of fraud and make a customer whole in the event they are scammed.
The downside of all of this is that with high limits, and high approval rates, the potential for fraud is significant. But with a two-day delay for settlement, this prevented ACH from being used for everyday purchases.
Some companies now offer real-time ACH products to consumers and merchants, but this can dramatically increase the fraud risk if it is not properly managed (more on this later).
2. What is ACH?
An ACH payment settles via the “Automated Clearing House” network (hence ACH).
Delivery of ACH transfers can take several business days because they only happen on the days that banks are open — like weekdays and non-holidays.
NACHA is the trustee of the ACH Network and manages the development, standards, administration, and governance funded by its 11,000 member institutions. Nacha publishes the operating rules annually designed to help institutions and members manage risk and ensure the system's safety.
This is important for companies because the file standards may change what you have to build and the consequences you face if something goes wrong.
Two central clearing facilities comprise the ACH Network:
- The Federal Reserve (FedACH) processes payments on behalf of the government, such as social security and government payroll, and an estimated 75% of payments are on the ACH network.
- The Clearing House (TCH) is owned by 25 large international banks. It processes an estimated 25% of ACH transactions (accounting for half of the commercial transactions such as B2B payments and bill pay).
For each transaction, you have:
- The person who instructs the initiation of a message (the Originator)
- The financial institution that sends the message on behalf of the sender (the Originating Depository Financial Institution, or ODFI)
- The financial institution that receives the message on behalf of the receiver (the Receiving Depository Financial Institution, or RDFI)
- The person who receives the message (the Receiver)
- The ACH Operator, either The Clearing House or The Fed determines and facilitates the settlement of the transaction
Nacha has some hard-to-understand terminologies and various use cases; it can get confusing to understand who is who and how that relates to a transaction.
It’s important to understand this terminology because it changes with different ACH transactions.
For example, if you use ACH to send funds to a business to settle an invoice for someone or “pushing funds,” the roles logically map out.
- The Originator (you)
- The ODFI (your bank)
- The RDFI (the business’s bank)
- The Receiver (the business)
However, say you were using ACH to enable someone to pay into a digital wallet you built. This would involve “pulling” money out of someone’s account. In this case, it gets confusing:
- The Originator (you, even though the funds are coming from the customer account)
- The ODFI (your bank, not the customers bank)
- The RDFI (the customer’s bank)
- The Receiver (the customer)
Always remember, whoever initiates the transaction is the originator, even if they’re also the receiver.
3. How does ACH work?
An ACH Credit/Push is a type of ACH transfer where funds are pushed or credited into a bank account.
- A customer “pushes” funds to be sent to a utility company (bill pay) from their bank app.
- An employer “pushes” your direct deposit (salary).
Note: Some banks charge fees for any money going outward from the bank.
An ACH Debit/Pull is a type of ACH transfer where funds are pulled or debited from a bank account.
The receiver (customer) gives the originator (beneficiary) permission to “pull” payment from their account.
(Fintech companies often trigger this by asking customers to log into their bank account using open banking services like Plaid, MX, and Finicity (et al.). This is to get the account and routing numbers with a slick experience for the consumer.)
For ACH Debit, the merchant has to check the bank account's sufficient cash flow by looking at the customer’s transactions. Without first checking, the customers bank will return an error.
After obtaining authorization, a merchant will initiate a transaction through their bank (ODFI) to debit the customer's bank account (RDFI).
ACH SEC Codes
The ACH system supports several different types of ACH debits.
Each is identified by its Standard Entry Class (SEC) code.
The following are common SEC codes
Risks with ACH Debits
When the Originator’s account is not the account the funds originate from (remember — the originator is the person who sends the message), NACHA rules dictate financial institutions must reverse or return a transaction.
When this happens, the merchant will receive an “ACH return code.”
NACHA RETURN CODES
Understanding Nacha return codes allows builders to manage errors, failures, and risks with ACH. See the table below for some examples.
In short, the ACH returns contain two main categories:
NSF (R01): Not Sufficient Funds (NSF) is the most significant risk with ACH. This is the lack of funds available during the ACH settlement. Hence, many companies will have a hold period, where the asset (e.g., crypto) will not be available until the ACH is cleared. Nacha has a threshold of 15% for NSF, after which they may take action against the bank/merchant.
A merchant is allowed to re-initiate/retry to recover the NSF by sending the transaction to NACHA twice (max) with 180 days (6 months) of the NSF/R01 or R09 (Uncollected funds). The merchant may check the balance and send “Retry Pymt” at the time of retry attempts.
Fraud (R05/R07/R10/R11/R29/R51): These are unauthorized ACH debits that can be returned for up to 60 days after settlement. NACHA has a threshold of 0.5% for unauthorized fraud, where the reason codes include R05, R07, R10, R11, and R29. Some merchants may consider R16 (Account Frozen) as fraud, even though NACHA may not include them in their calculation. This is similar to the fraud threshold concept that Visa/Mastercard networks have for their merchants.
Unlike the card chargeback process, the Originating Financial institution (your bank) doesn’t have many options to dispute the return of a transaction. Even if you have collected proof of the customer approving the debit and have agreed on terms and conditions and a signed statement, you will most likely not be able to deny the return via NACHA. Although you may be able to recoup the owed funds via legal methods outside of the ACH Network, the chances are slim, exposing many fintechs to various types of fraud losses.
NACHA RETURN RATE RULES
To summarize, per NACHA — https://www.nacha.org/rules/ach-network-risk-and-enforcement-topics below return rates are what you need to ensure in the past 60 days
- Overall Returns must stay below 15%. This tends to be dominated by NSF ie R01 and R09. A typical NSF may be around 1.45%, but if the merchant does not check the balance and/or does not have a hold time concept then the overall return may explode to over 15%.
- Admin Returns must stay below 3% and an average merchant may find this to be around 0.33%. This is for return reason codes: R02, R03, and R04. A usual reason for admin code like R04 happening is that a Chase customer may connect via an aggregator like Plaid and then request for the token (TAN) to expire/remove. Hence when the actual ACH is sent it will get rejected as the tokenized account number is no longer valid.
- Unauthorized Returns must stay below 0.5% and an average merchant may find this to be typically around 0.3%. This is for return reason codes: R05, R07, R10, R29 and R51.
4. Instant ACH
In Credit card processing, an authorization step ensures sufficient funds (balance) and that the network/issuer has done real-time fraud checks on that card.
In ACH, there is no real-time authorization or “instant ACH.”
All the ACH transactions are sent in batches and cleared in roughly two days. It may take 1 or 5 days before the funds are made available, assuming they are not rejected. Hence there are insufficient funds (NSF) risks if someone supports “Instant ACH” i.e. providing funds to the customer in advance of the settlement. This is similar to the NSF risk handled by Buy Now Pay Later (BNPL) companies.
In short, the “authorization” is delayed by the processing time, i.e., 2–5 days. This means the merchant should wait 2–5 days before releasing funds to the customer or be willing to take in the credit risk for 2–5 days.
Some Fintech companies offer “Instant ACH,” which can have higher approval rates and limits than cards. However, the ability to offer this relies on understanding the fraud rates and losses possible for that customer.
To achieve this, Fintech companies often devise an “Instant ACH limit” to take some risk as a tradeoff to a good UX. Fintech wallets range between $250 and $1000 for standard users. For Coinbase, this is usually closer to $10–15k (thanks to Sardine CEO Soups Ranjan).
Instant, low-cost, high limits, high approval and real-time payments are possible if you understand the Fraud risks well enough.
Same Day ACH vs Instant ACH
Same Day ACH adds more settlement windows on the same day as compared to a normal ACH. The banks will charge higher cost to the merchant for the same day ACH as compared to a normal ACH . Same Day ACH submission deadline is at 10:30 am ET, 2:45 pm ET and 4:45 pm ET. The settlement for this submission will happen at 1 pm ET, 5 pm ET and 7pm ET respectively. Instant ACH is a facility that a merchant adds over the Same Day ACH/Normal ACH.
5. ACH Fraud Patterns
The deeper you go into Fraud, the more patterns you find.
Fraudsters find the most creative and inventive ways to attack Fintech companies and often target new companies or product launches.
Understanding the common things to look out for can prevent large losses and poor customer experiences.
First Party Fraud
Unlike applying for a credit card, it is much easier for a fraudster to create new bank accounts. Fraudsters are known to create thousands of bank accounts just to collect a few cents from companies like PayPal, which may use “micro deposit” to validate the bank account. The fraudster can also hire mules, use relatives' credentials of relatives or control remote sessions via scams.
An average customer can have financial issues, or a fraudster can abuse the system by not having sufficient funds at the time of ACH settlement. For example, an ACH is initiated Monday morning, and Plaid/MX verifies the balance. The fraudster clears the account on Monday afternoon, and the ACH hits on Tuesday with a $0 balance.
The ACH item is returned to the ODFI R01 — NSF on Wednesday.
The customer will ensure that there is a balance at the time of Bank linkage and eventually clears up the account after the transaction is completed.
In these cases, the account is taken over (ATO) by the fraudster by getting hold of the userId/password and sometimes OTP via phishing.
They will then use it to make purchases.
There are, of course, many thousands more attacks and levels of complexity.
6. Unlocking ACH for your customers.
ACH is perfectly imperfect.
Handling ACH risk or handling ACH indemnification is hard. Many practitioners observed they didn’t know they were suffering fraud losses until it was too late.
But the promise of instant ACH is significant. It has enabled everything from getting paid two days early to instantly buying Crypto or NFTs. ACH offers higher limits than cards, and if you deeply understand the risks, it can be a much higher converting payment method than cards.
The more you understand the risks, the higher the conversion and the better the consumer experience.
Next time: Minimizing ACH risk!
Sardine is the leading Fraud, Compliance, and Instant Settlement platform for Fintechs, Crypto, and Web3 companies. Its Fraud and Compliance Platform enables 3x less fraud and 2x fewer false positives. Sardine also offers Instant ACH settlement to Fintech and Crypto companies, with its Fraud & Compliance engine baked in. This means lower fraud, higher conversion and higher order values for merchants, and more account funding for wallets and Fintech companies.