Search

|

Search

ACH Best Practices

 

Simple and Safe Best Practices

Originators should be aware of the Operating Rules & Guidelines issued annually by the
National Automated Clearinghouse Association (Nacha). The Nacha Operating Rules &
Guidelines oversee every ACH payment and provide exact guidelines for securely storing,
accessing and transmitting sensitive customer information.


Basic knowledge of Nacha Operating Rules & Guidelines is required, even if you use a third-
party payment processing system to process ACH. It’s your responsibility to know the ACH
Rules and make sure your business is compliant. Keep up with the Rules changes on
the Nacha website.


Best Practices for ACH


Monitor and reconcile accounts daily to catch unauthorized activity


Nacha rules require that unauthorized or improper corporate ACH debits posted to your
account, be returned no later than the opening of business on the second banking day following
the settlement date of the original entry (i.e., one day to return an ACH debit). If an unauthorized
debit is not returned by two days after posting, it will be much more difficult to recover lost funds.


Act quickly when receiving a NOC (Notification of Change) entry


Nacha rules require ACH origination customers to change information (the information
requested to be changed by the Receiving Depository Financial Institution (RDFI)) within six (6)
banking days of receipt of the NOC or the next time the transaction is generated, whichever is
later. Common changes include updates to transaction codes, account numbers, and/or routing
numbers.


Correct ACH returns quickly, using the appropriate process if reinitiating the entry

  • A returned ACH entry may not be reinitiated unless (1) the entry has been returned for insufficient or uncollected funds; (2) the entry has been returned for stopped payment and re-initiation has been authorized by the Account Holder, or (3) the Originating Depository Financial Institution (First Bank Texas) has taken corrective action to remedy the reason for the return.

  • An originator may re-initiate a debit entry within 180 days up to two times. Those entries must be sent in a separate batch and contain identical content in the Company Name, Company ID, and Amount field.

  • Re-initiated entries must contain “RETRY PYMT” in the Company Entry Description
    Field.


Initiate ACH entries under dual control


Whenever possible, divide responsibilities among several employees. To prevent unauthorized
ACH payments, separate out the payments process where one employee will create/upload the
ACH batch and another employee is responsible for approving batches. To prevent
unauthorized or inappropriate system access, separate the payments approval process where
one user can add or delete users but does not have the ability to approve, delete, or edit
batches.


Implement procedures that alert to "red-flag" activity

Train employees to be alert for website layout changes, invoice layout changes, egregious
misspellings on a website or email notifications, "system down" warnings, etc. 
Implement a security policy for company systems
Do not allow employees to use social networking sites on the same computer systems as the
business’ online banking system. Common social media attacks include likejacking, where
attackers use fake “like” buttons to trick users into clicking website buttons that install malware
and post updates on a user’s newsfeed to spread the attack; or, fake offerings/apps to join a
fake group or subscription with incentives that are used to steal credentials or harvest other
personal data.

Rules and Updates Every ACH Originator Should Know

Authorization Requirements for Consumer Entries

Originator must obtain authorization for both consumer credit and debit entries and should
ensure that the authorization is clear and readily understandable by the account holder/receiver.

  • The authorization should clearly state account number and routing number (i.e. a copy of
    the account holder’s check), and account type (demand deposit, savings).
  • The consumer must date and either sign or similarly authenticate debit authorizations.
  • A review of authorizations should be performed to make sure it meets the requirements
    of the NACHA Operating Rules.
  • First Bank Texas will provide authorization forms upon request.
    Originators can expect the return of consumer entries that were not properly authorized.
  • An unauthorized debit entry is an entry in which (1) the authorization requirements have
    not been followed in accordance with the Nacha Operating Rules or invalid under
    applicable legal requirements; (2) a transaction was initiated in an amount different than
    that authorized by the Receiver; (3) a transaction was initiated for settlement earlier than
    authorized by the Receiver.
    In general, consumer debit entries must be returned by the RDFI in such time and manner that
    the return is made available to the ODFI no later than the opening of business on the banking
    day following the sixtieth (60) calendar day following the settlement date of the original entry.
    This return deadline also applies to the return of debit entries for which the consumer Receiver
    had previously revoked his authorization.

Authorization Requirements for Corporate Entries

As with consumer entries, the business Receiver (Company) must authorize all ACH credits and
debits to its account.

  • The Receiver of CCD (Corporate Credit and Debit), CTX (Corporate Trade Exchange)
    entries, and IAT (International ACH Transactions to a corporate customer account) must
    enter into an agreement with the Originator to which the Receiver has agreed to be
    bound by the Nacha Operating Rules.
  • This agreement for credits and/or debits to the corporate customer account should be
    clear to the corporate customer as to what the credit/debit represents.
    Unlike consumer entries, in general, the non-consumer receiver of a CCD, CTX or IAT entry
    must return entries no later than the opening of business on the second (2) banking day
    following the settlement date requiring prompt review of transactions to detect any unauthorized
    entries.

Notice of Change for Recurring Debits

For recurring debits, when the debit amount varies, the Rules require the Originator to notify the
account holder/receiver within ten (10) calendar days before the scheduled transfer date. If an
Originator changes the date in which it debits the account holder/receiver, it must notify the
account holder/ Receiver in writing of the new date of the entry at least seven (7) calendar days
before the first entry to be affected by the change is scheduled to be debited to the Receiver’s
account.

Document Retention for Authorizations

The signed or similarly authenticated authorization must be retained by the Originator for a
period of two years following the termination or revocation of the authorization.

  • In the case of a paper authorization that has been signed by the consumer, the
    Originator must retain either the original or a copy of the signed authorization.
  • This authorization may be obtained in an electronic format that (1) accurately reflects the
    information in the record, and (2) is capable of being accurately reproduced for later
    reference.
    At the request of its ODFI, Originator must provide the original, copy or other accurate Record of
    the Receiver’s authorization to the ODFI for its use or for the use of a RDFI requesting the
    information. The Originator must provide in such time and manner as to enable the ODFI to
    deliver the authorization to a requesting RDFI within ten (10) banking days of the RDFI’s initial
    request.

Company Name Identification

The Originator is required to ensure there is clear identification of the source of an ACH
transaction. Specifically, the Rules require the Originator to populate the Company Name Field
with the name by which it is known to and readily recognized by the Receiver of the entry. As
this company name appears on the account holder’s statement, it should be easily recognized
by the account holder/receiver of the debit/credit.

International ACH Transactions (IAT)

Origination of the IAT standard entry class code is not permitted by First Bank Texas. Certain
ACH payments that were classified as domestic transactions may be classified as international
payments, or IAT transactions today. The ACH transaction may be classified as an international
payment (IAT transaction) if your company (1) is a subsidiary of a multi-national corporation; (2)
has foreign subsidiaries; (3) buys or sells to organizations or individuals outside of the territorial
jurisdiction of the United States; or (4) sends payroll, pension or benefit payments via the ACH
Network to individuals that have permanent resident addresses outside the territorial jurisdiction
of the United States.

Laws Regarding the Office of Foreign Asset Control (OFAC)

Corporations are required to comply with OFAC obligations, and the penalties for ignoring those
obligations can be both criminal and civil and include both jail time and fines ranging from
$10,000 to $10,000,000 per occurrence. If these fines are levied against the financial institution,
they may be passed back to the corporate originator depending on the specifics of the case and
the details of their contract with the financial institution. The fines are levied by the U.S.
government and funds collected are the property of the government, not the financial institution.
Additional information on OFAC obligations and fines can be found at the following
link: https://www.treas.gov/offces/enforcement/ofac/.

Prenotifications

Prenotifications are zero dollar entries generated to validate the account held at the RDFI.
Originators may originate a prenote; however this is not required under the Rules. If the
Originator initiates a prenotification, it must wait three (3) banking days prior to initiating the live
dollar amount.

Reversing an ACH File or Entry

An Originator may reverse an erroneous or duplicate file, or an item within the file, within 5
banking days after the Settlement Date of the original file. The word "REVERSAL" must be
placed in the Company Batch Header Field and if the file is reversing an erroneous file, the
Originator must initiate a correcting file with the reversing file. The Originator should notify the
account holder(s)/ receiver(s) of the reversing entry and reason of the reversing entry no later
than the Settlement Date of the reversing entry.

Standard Entry Class (SEC) Codes

First Bank Texas permits Originators to send PPD (Prearranged Payments and Deposits) for
entries posting to consumer accounts and CCD (Corporate Credits and Debits), CCD+, and
CTX (Corporate Trade Exchange) for entries posting to corporate accounts. Any other types of
standard entry class codes require approval from First Bank Texas prior to its use.

Stop Payments Made by Consumer

This affects Originators as a stop payment may be placed on the RDFI’s system for all future
transactions relating to the one Originator for the payment. Originators need to train internal
staff to ensure they understand that there may be multiple stop payments returned. These
should not be reinitiated until resolved.

Third-Party Sender Roles and Responsibilities

A Third-Party Sender is a type of Third-Party Service Provider that acts as an intermediary
between the bank and the entity’s (Third-Party Sender’s) customers. The Rules require that all
Third-Party Senders conduct Rule compliance audit and risk assessment of its ACH operation
and compliance with the Rules no later than December 31 of each year. Documentation
supporting the completion of an audit must be (1) retained for a period of six years from the date
of the audit, and (2) provided to Nacha upon request. As this is a Rule requirement, First Bank
Texas requires a copy of the ACH audit and Risk Assessment each year. Approved Third-Party
Senders should reference their agreement for the additional requirements. This applies only to
Third-Party Senders.

Data Security

The originating customer is responsible for ensuring they (along with any third party service
providers acting on their behalf) implement and maintain security policies, procedures, and
systems related to the initiation, processing, and storage of entries and resulting protected
information.
In addition, it is the responsibility of the customer to educate staff on how to protect the
business’ online banking system, take reasonable steps to maintain the confidentiality and
security of the security procedures and any passwords, codes, security devices, including but
not limited to multifactor authentication, out of band authentication, and secure browser
sessions.
Security policies, procedure and systems must: (1) Protect the confidentially and integrity of the
protected information, (2) Protect against anticipated threats or hazards to the security or
integrity of protected information until its destruction and (3) Protect against unauthorized use of
protected information that could result in substantial harm to the customer.

Risk Management and Assessment Requirements

First Bank Texas, as an ODFI, may establish additional risk management procedures such as
requiring an audit of its Originators activity be performed, closely monitoring the return volume
of its originators, and assessing the risk associated with the type of ACH activity performed by
each Originator. Originators need to understand the necessity of risk management practices
regarding the following (1) The performance of the due diligence with respect to Originators and
Third-Party Senders; (2)The assessment of the nature of the Originator’s or Third-Party
Sender’s ACH activity and the risks it presents; and, (3) the establishment of procedures to
monitor an Originator’s or a Third-Party Sender’s origination and return activity, and to enforce
exposure limits and restrictions on the types of ACH transactions that may be originated.

Frequently Asked Questions

What happens if an ACH payment is returned?

When an ACH return is received, your account will receive chargeback or creditback return
entry and you will be notified of the return, along with information on how to view the return
details.

How much are the ACH Return Fee and Notification of Change (NOC) fees?

Fees may vary, please refer to your fee schedule.

Can a business dispute a returned ACH payment?

Dispute an ACH return if it was a duplicate, it was misrouted, information was inaccurate, the
return didn’t occur within the expected time frames, or an unintended credit to the receiver was
the result of the reversal.

What is a Notification of Change (NOC)?

A notification of change (NOC) occurs when the bank receiving the ACH entry notifies the bank
sending the ACH entry that some portion of the information is incorrect. With NOCs, ACH
transactions posted to the recipients account but the information within the ACH entry need to
be corrected to ensure future transactions are received will be processed.

Why is timely review of Notification of Change and ACH Returns important?

Accuracy of information when sending ACH batches or files is always important. Otherwise,
there’s a risk of misdirecting ACH transaction(s) and relying on another bank to make proper
corrections. These transactions are often critical to the recipient, such as a payroll deposit. In
addition, Nacha rules require changes be made within (6) six banking days after receipt of a
notification of change or an ACH return. If this is not complied with, penalties may be assessed
against the originating bank.

What are ways to reduce returns?

Decrease the odds of an ACH Return by verifying an input was correct (including the recipient’s
bank routing number). The Federal Reserve has a tool to verify the routing number is correct for
ACH processing. FRFS: Search for FedACH Participant RDFIs (frbservices.org)

Business Email Compromise (BEC)

What is Business Email Compromise?

Business Email Compromise is a type of phishing scam in which fraudsters try to hack, spoof or
impersonate business email addresses. They may change one letter or number in a familiar
email address to make their scam appear legitimate.
Example: bill.smith@ABCBuilders.com – bill.smith@ABCBuildrs.com
Scammers may send emails to employees in an attempt to gain credentials or convince
someone to send a fraudulent wire. They may also send an email that appears to be from a
known third party such as a vendor.
Scammers have also been known to send an email to customers, posing as the legitimate
business, in an attempt to obtain their payment information or other sensitive information.

How do I recognize a Business Email Compromise scam?

BEC scams are often difficult to spot, but there are a few red flags to be on the lookout for.
Common signs of BEC messages include:

  • The message is brief, urgent, and presses you to bypass normal policies and
    procedures;
  • The request appears to from an executive, vendor or other partner that is outside of the
    norm;
  • A request for sensitive employee, payroll or company information;
  • Emails have misspelled words or poor grammar;
  • Unexpected attachments sent by email;
  • Emails sent after business hours or on weekends, holidays, or other nonstandard
    business days.
    Carefully check the email address of the sender to ensure it’s legitimate. Since they can be just
    one character off, spoofed email addresses can be easy to miss.

How to protect against Business Email Compromise?

  • Verify by phone before you send funds. ALWAYS call the vendor, business partner, or
    colleague directly to verify the payment information. Use previously known numbers you
    know are correct — even across different time zones — and not the numbers provided in
    an email or text request. Never initiate any changes based only on email or
    text communication.
  • Be cautious of new payment information. Beware of email requests instructing a
    routine wire payment to be sent to a new account.
  • Match your payment to a legitimate invoice before paying. Quite frequently,
    fraudsters tend to pose as a trusted vendor requesting payment. Prior to sending
    payments, ensure the payment requested matches a legitimate invoice.
  • Verify before clicking on a link or opening an attachment in an email or text. It may
    appear to be from someone you know, but it may be a fraudster phishing for your
    password, business bank account, or other sensitive information. Extra caution: The link
    may contain malware.
  • Double-check the email address. Fraudsters are tricky and can create email
    addresses that look very similar to the legitimate account. They often find naming
    conventions for a company’s email accounts on its website and use those to fool you —
    inspect closely!
  • Do not respond to email as verification. Don’t reply to the requester by email. The
    fraudster either controls the spoof email account or has gotten access to the valid email
    account and can write back, making it look legitimate.
  • Beware of a sense of urgency. Usually fraudsters will indicate that the funds need to
    be wired right away. These requests often ask that the client be contacted only through
    email instead of other channels.
  • Know and trust who you are working with. Before doing business with a new
    company, search the company’s name online with the term “scam” or “complaint.” Read
    what others are saying about the company. Only purchase merchandise from reputable
    dealers or establishments.
  • Be wary of using free, web-based email accounts for your business, which are
    more susceptible to being hacked. Make sure at least two-factor authentication
    is available.
  • Be careful when posting information to social media and company websites, as
    fraudsters may use this information to deploy new tactics.
  • Keep the processing of your financial activities limited to as few machines as
    possible and limit the other activities such as web surfing on those machines, as well.
  • Consider financial security procedures that include a two-factor authentication
    process or dual control for electronic funds transfers.
  • Create intrusion detection system rules that flag emails with extensions that are
    similar to company email but not exactly the same (for example, .co instead of .com). If
    possible, register all Internet domains that are slightly different from the actual
    company domain.
  • Know the habits of your customers, including the reason, detail, and amount of
    payments. Beware of any significant changes.
  • Consider frequent and regular patching of your business systems.
  • Use a quality next-gen antivirus solution — one that watches for behavior anomalies
    and not just signatures.

Steps to take in the event of fraud or loss due to BEC.

If fraud or loss does happen as a result of responding to a BEC email with sensitive information,
there are a few steps to take:

  • Report it to your organization’s IT/cybersecurity team.
  • Call us at (817) 598-4900 so that we can take the necessary precautions to secure your
    First Bank Texas accounts.
  • Change passwords for email and financial accounts.
  • Review account statements for any suspicious activity.
  • Contact the police and file a report.
  • File an Internet Crime Report (IC3 Report) https://www.ic3.gov/

NACHA Rules Change

Wire Fraud Best Practices

Commercial ACH Authorization

Direct Deposit Authorization Form

First Bank Texas is committed to serving your ACH Originator Needs. For questions concerning ACH Rules, resources, or issues, contact the ACH Department.

Telephone: 817-598-4900

Email: FBTACHProcessing@go2fbt.com

Address:
First Bank Texas
ATTN: ACH Department
220 Palo Pinto
Weatherford, TX 76086

fabf2030aa7a4c6304be0b64b815fe2c9774c3b2

Routing Number: 111901988 Routing Number: 111901988

Download our mobile app:

7b75231867bfcedff226d6299720bcd01ad02b18 (1) 189f64a5d0bc93157190b458211184eb1f86791a (1)

First Bank Texas is your local community bank that offers a range of personal and business banking solutions including savings and checking accounts, individual retirement accounts (IRAs), VA loans, mortgages, commercial loans, agriculture lending, working capital loans, real estate loans and much more. Bank online, with our mobile app or visit one of our conveniently located North Texas locations in the Greater Abilene, West Fort Worth and Grapevine areas.

First Bank Texas is your local community bank that offers a range of personal and business banking solutions including savings and checking accounts, individual retirement accounts (IRAs), VA loans, mortgages, commercial loans, agriculture lending, working capital loans, real estate loans and much more. Bank online, with our mobile app or visit one of our conveniently located North Texas locations in the Greater Abilene, West Fort Worth and Grapevine areas.

 

© 2025 First Bank Texas. | Crafted by primitive.