NACHA ACH Operating Rules

What are the NACHA ACH Operating Rules?

The NACHA ACH Operating Rules are the official governance framework for the Automated Clearing House (ACH) Network in the United States. They are administered by Nacha, the National Automated Clearing House Association.

The rules — in effect since the 1970s and updated annually — standardise how electronic payments such as direct deposits, payroll, bill payments, business-to-business transfers, and consumer debits are originated, transmitted, settled, and returned across the ACH Network. They are binding on every participant, with non-compliance attracting fines, network warnings, and ultimately suspension. Our practitioner primer on ACH payments sets out the underlying mechanics.

Why NACHA compliance matters

ACH is the rails behind direct deposit, recurring billing, payroll, and a growing share of B2B payments — moving tens of trillions of dollars annually across millions of US accounts. The NACHA Rules are how that network stays safe, predictable, and interoperable.

For institutions originating or receiving ACH transactions, non-compliance is expensive on two fronts. There are direct Nacha fines (up to USD 500,000 per month for serious or repeated violations under the Rules Enforcement Procedures), and downstream reputational and supervisory consequences when bank examiners cite Nacha findings.

Who must comply

The Rules apply to every participant in the ACH Network. The two core institutional roles are the Originating Depository Financial Institution (ODFI) — the bank or credit union that transmits a payment instruction into the network — and the Receiving Depository Financial Institution (RDFI) — the bank or credit union that delivers the payment to the receiver's account.

ODFI vs RDFI roles

Role	What it does	Key Nacha obligations
ODFI	Originates ACH transactions into the network on behalf of an Originator	Originator due diligence, authorisation verification, fraud monitoring, return-rate management, WEB debit account validation
RDFI	Receives ACH transactions and posts them to the Receiver's account	Posting accuracy, return processing within Nacha timeframes, customer notification, compliance with stop-payment instructions
Third-Party Sender / TPSP	Acts as an intermediary between an Originator and the ODFI	Same obligations as Originator plus contractual flow-down from the ODFI
ACH Operator	Operates the central clearing and settlement (the Federal Reserve and The Clearing House)	Settlement timing, file processing, network reliability

Every participant is responsible for its own compliance, and the ODFI carries direct contractual responsibility for the conduct of its Originators and Third-Party Senders.

Core compliance areas

The Operating Rules cover dozens of distinct obligation areas. A handful dominate the compliance and audit workload at most institutions.

Authorisation and notification

Every ACH debit must be properly authorised by the Receiver. Different SEC codes (PPD, CCD, WEB, TEL, ARC, etc.) carry different authorisation requirements — written, verbal-and-recorded, online-and-attested — and the Originator must retain proof of authorisation for the period required by the Rules.

Data security requirements

Nacha's Data Security Requirements rule, fully effective for all covered participants since June 2022, requires non-consumer Originators, Third-Party Service Providers, and Third-Party Senders that originate or transmit defined volumes of ACH entries to render bank account information unreadable when stored electronically. The rule was a major implementation programme for the industry and remains a recurring audit topic.

WEB debit account validation

Since 19 March 2021, the Nacha Rules have required Originators of WEB debits (consumer-authorised debits initiated through the internet) to use a "commercially reasonable fraudulent transaction detection system" that includes — at minimum — account validation. The institution must confirm that the bank account being debited is open, valid, and capable of receiving the transaction.

Modern programmes operationalise this through API-based account ownership verification, which checks the account in real time at the moment the consumer enters their bank details.

Return rates and risk management

The Rules impose return-rate thresholds that ODFIs must monitor. Unauthorised returns (R05, R07, R10, R29, R51) must stay below 0.5% of total ACH debits; administrative returns (R02, R03, R04) below 3%; overall returns below 15%. Originators that breach these thresholds without a remediation plan can be referred to Nacha for enforcement.

OFAC and BSA compliance

ACH transactions are subject to OFAC sanctions screening and the broader BSA/AML framework. ODFIs must screen Originators and large-value transactions; RDFIs must screen incoming transactions where appropriate. Any apparent match must be blocked and reported under the OFAC programme — see our sanctions screening AML guide for the broader screening discipline.

Common reasons for NACHA violations

Three failure patterns recur in Nacha enforcement actions:

• Inadequate authorisation records — Originators cannot produce proof of authorisation when challenged on a return or dispute.
• Breach of return-rate thresholds — high unauthorised-return rates signalling inadequate customer screening, weak authorisation practices, or active fraud.
• Failure to validate WEB debit accounts — Originators relying on entered bank details without the commercially reasonable validation the Rules now require.

NACHA Rules and AML

Although Nacha Rules sit outside the formal AML rulebook, they connect directly to AML compliance. ACH activity that triggers an internal alert frequently feeds into transaction monitoring escalations and, where suspicion arises, into SAR/STR filings under the BSA.

Nacha return data is also a leading indicator of mule-account activity, fraud, and unauthorised access — making Nacha compliance and AML detection operationally interlocked. Our wider AML compliance complete guide and transaction monitoring primer cover where ACH-derived signals fit inside the programme.

Annual rules changes

The Nacha Rules are not static. Every year Nacha publishes a set of rule changes covering authorisation, network risk, fraud prevention, and operational standards.

Recent and upcoming changes have focused on fraud monitoring, credit-push fraud, risk-based RDFI obligations, and micro-entry rules. Institutions are expected to track rule changes and update policies, procedures, and systems on the effective dates — supported in many cases by unified AML screening platforms with built-in rule-change tracking.