The National Automated Clearing House Association (“Nacha”) manages the development, administration, and governance of the ACH Network. The Nacha Operating Rules (“Rules”) provide the legal foundation for the ACH Network.
Article Eight of the Nacha Operating Rules defines a Third-Party Service Provider as an Organization that performs any functions on behalf of the Originator, ODFI, or RDFI related to the processing of Entries, creation of the file, etc. An Organization acting as a Third-Party Sender is also considered a Third-Party Service Provider.
Article Eight of the Nacha Operating Rules defines a Third-Party Sender as a Third-Party Service Provider that acts as an intermediary in transmitting entries between the Originator and an ODFI. A Third-Party has a direct agreement with the Originator. The Originator does not have a direct agreement with the Originating Depository for the processing of ACH Entries. A Third-Party Sender acts on behalf of an Originator or another Third-Party Sender (Nested).
Article Eight defines a Nested Third-Party Sender as a Third-Party Sender that has an agreement with another Third-Party Sender to act on behalf of an Originator, and does not have a direct agreement with the ODFI.

Audit and Risk

Article One, Subsection, defines an ACH Audit as an audit of compliance with the Nacha Operating Rules and Guidelines. It is not considered an IT or financial audit.
Third-Party Senders, Nested Third-Party Senders and Third-Party Service Providers that perform a function of ACH processing on behalf of an ODFI or RDFI must conduct an annual audit of compliance with the requirements of the Nacha Operating Rules.
The ACH Audit should be performed by an individual within the organization that is knowledgeable, objective, and independent of ACH Operations or an external auditor.
Documentation supporting the ACH Audit’s completion must be retained for six (6) years from the audit date.
Article One, Subsection of the Nacha Operating Rules, states that an ACH audit must be performed annually by December 31.
Third-Party Senders and Nested Third-Party Senders must provide evidence of completion of the ACH Audit upon request. Failure of the ODFI to provide proof of audit completion by its Third-Party Senders and Nested Third-Party Senders may be considered a Class 2 rule violation pursuant to Appendix Nine, Subpart (Class 2 Rules Violation).
Third-Party Service Providers must comply with any applicable sections of Articles One, Two, Three, and all Appendices based on the functions performed for the RDFI or ODFI.
Third-Party Senders must comply with applicable sections of Articles One, Two, and Appendices One, Three, and Four.
An ACH Risk Assessment is designed to identify the inherent risks of the organization’s overall ACH program and evaluate controls that mitigate such risks to ensure that the residual does not expose the organization to excessive risk outside of management’s risk tolerance.

OAS’ definition of an ACH Risk Assessment requires a look at your ACH Operating environment holistically and functional areas throughout your organization to identify the things that, if unleashed, would be disastrous to your organization.
The Rules require all Third-Party Senders and Nested Third-Party Senders to conduct a risk assessment of their ACH activities and implement risk management programs based on such assessments.
An ACH Risk Assessment should be performed periodically. A review should be triggered when changes to the ACH Program occur, such as but not limited to staff changes, technology changes, disaster recovery & business continuity, new product & services, data breaches, Rule changes, critical vendor and fraud, etc.


Nacha has created standards for structuring ACH files and Entries to ensure straight-through processing in the ACH Network. Every participant must follow these standards to process ACH effectively. Each Standard Entry Class (SEC) Code and File structure have their own formatting specifications. Refer to Appendix One, Two, and Three of Nacha Operating Rules and Guidelines for guidance.
The Company Name field of an Entry must contain the name by which the Originator is known and readily recognized by the Receiver of the Entry. Although a Third-Party Sender can be an Originator for its own Entries, when processing on behalf of its clients, the client is the payee or payor (Originator), not the Third-Party Sender. To this extent, the Company Name must contain the client’s name known to and readily identifiable to the Receiver of the Entry.
An reversing entry may be initiated to reverse an entry to correct an erroneous entry previously initiated to a Receiver’s account. An Erroneous Entry is defined as an Entry that: • Duplicate Entry • Payment in the wrong amount • Payment to the wrong Receiver • orders payment of a debit Entry on a date earlier than intended to be, or payment of a credit Entry on a date later than intended • is a credit PPD Entry satisfying each of the following criteria: o the credit PPD Entry is for funds related to employment; o The employee received both a separation check and a direct deposit
An authorization is not required for a reversal entry if all the requirements of Section 2.9 of the ACH Rules are followed.
Situations that will be treated as improper uses of a Reversing Entry include, but are not limited to: • The initiation of a Reversing Entry for any reason other than those explicitly defined in the Rules • The initiation of a Reversing Entry by an ODFI because its Originator or Third-Party Sender customer, or any downstream customer of its Third-Party Sender, failed to provide funding for the original Entry. • The initiation of a Reversing Entry beyond the time period permitted by Subsection 2.9.1 (General Rule for Reversing Entries).

ACH Compliance and Risk Management

The Administrative Return Rate Level for Originators’ or Third-Party Senders’ debit Entries must not exceed a rate of 3%. Administrative returns include R02, R03, and R04. The Unauthorized Entry Return Rate Threshold for Originators or Third-Party Senders must not exceed .5%. (one-half of one percent). Unauthorized returns include R05, R07, R10, R11, R29, or R51). The Overall Return Rate Level for Originators’ or Third-Party Senders’ debit Entries must not exceed 15%. Management should include these thresholds for return activity monitoring as part of the organization’s risk management program.

Unauthorized Return Rates
Administrative or Overall Return Rate

Office of Foreign Asset Control (OFAC)

The Office of Foreign Assets Control (OFAC) administers and enforces economic sanctions programs primarily against countries and groups of individuals, such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.
U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens, regardless of where they are located, all persons and entities within the United States. All financial institutions and large and small businesses need to make an effort to ensure that they are not doing business with restricted individuals or entities.
If you are making payments or receiving payments, you need to have an OFAC compliance program.
The fines for violations can be substantial. In many cases, civil and criminal penalties can exceed several million dollars. To learn more about the Civil Penalties and Enforcement, go to: