UMACHA 50 years of guiding payments

ACH Audit Services

Every financial institution that originates and/or receives ACH entries is required to complete an audit of compliance in accordance with the Nacha Operating Rules each year by December 31st. In addition, Third-Party Service Providers and Third-Party Senders are also required to complete an ACH audit by the same date.

Let the professionals at UMACHA assist with your yearly ACH audit. Choose from either an on-site or remote ACH audit. Regardless of method chosen, our compliance team will review your policies, procedures and a sampling of transactions and exception entries to ensure compliance with the Nacha Rules. A primary focus of this service revolves around helping you understand what needs to be done based on the Nacha Rules and why. We have the tools, expertise, and knowledge to help you improve all aspects of your ACH program. 

For questions about the ACH audit process, to request a quote for a remote or on-site ACH audit, or to schedule a different UMACHA compliance service, please complete the Compliance Services Request Form and one of our Associate Directors of Compliance Services will reach out to you soon.

UMACHA also offers additional compliance services, including:

Want to complete your ACH audit internally? Order and immediately download our ACH Audit Guide from our Online Store, and then make sure to fill out the ACH Audit Completion Form following the completion of your internal ACH audit.

NOTE: Members can save on the ACH Audit Guide and ACH Risk Assessment Guide by purchasing both from our Publication Bundles area in the Online Store.


I have a corporate accountholder who is disputing a transaction that came into their account a month ago. The debit came in with a Consumer SEC Code (PPD, WEB, TEL, etc). Is there any way to return this transaction?

  • Yes. If a debit to a corporate account has a Consumer-type SEC Code (PPD, WEB, TEL, etc.), the customer can sign a Written Statement of Unauthorized Debit (WSUD) form. If the Settlement Date of the entry is within 60 calendar days, the Financial Institution can return the debit once the WSUD is signed.

Can I have an accountholder electronically sign a WSUD?

  • Yes. There are a few additional requirements to be compliant with the E-Sign Act such as encryption, identity verification and record storage, but a WSUD is valid with an E-Signature that follows such requirements.

I have an accountholder who is stating that a credit transaction is unauthorized/wrongly posted to the account. Should I have them sign a WSUD and return this R10?

  • No. For an unauthorized or incorrect credit, the proper Return Reason Code is R23 (Credit Refused by Receiver). This return does not require a WSUD form.  However, UMACHA always recommends documenting the reason for the return. In our Knowledge Center under our Sample Documents, there is a free sample of a 'Credit Refused by Receiver' form that our members may use at any time.

When should I request that my accountholder fill out a stop pay form versus a WSUD form?

  • A stop pay is proactive – if the customer requests a return before the item hard-posts (you can use a stop pay form and return for an entry in memo-post). A WSUD is reactive – the debit has already posted and the customer is disputing the item.

I have a Consumer accountholder claiming a debit entry is unauthorized, but the SEC Code is CCD. How should this item be returned?

  • If the account is a Consumer account, the Consumer always gets the 60 days from Settlement Date of the original Entry to return an unauthorized Entry, even if the Originator used a corporate SEC Code (i.e., CCD/CTX). The Return Reason Code is R05 (Unauthorized Corporate Entry to Consumer Account). This return reason will make sure the return is not auto-rejected as untimely.

I have a corporate accountholder who is disputing a CCD/CTX entry as unauthorized. Can this be returned with a WSUD?

  • No. The completion of a WSUD form is only permitted for the return of a select number of SEC Codes.  CCD & CTX entries are not permitted to be returned following the completion of a WSUD form.  However, it is possible to return an unauthorized corporate debit if the return is completed and made available to the ODFI by opening of business on the second Banking Day following the Settlement Date. The Return Reason Code must be R29 (Corporate Customer Advises Not Authorized). A signed form is not required, but is encouraged as good business practice. UMACHA has a 'Corporate ACH Debit Entry Return' form available in the Knowledge Center under our Sample Documents that is free for members.


We just received a Letter of Indemnity (LOI) from another Financial Institution. What do I do next?

  • An LOI is a request in which the ODFI is asking the RDFI to return a payment the RDFI received, generally a credit transaction. First, verify whether there is enough money in the account to send the return.  If the funds are not available, you are not required to complete the return. You never have to take a loss for a Return per the ODFI’s request. If there is enough money in the account, you will need to make a business decision. It is good to honor such requests if possible.  However, if you are concerned that your customer/member’s account will be negatively affected, you are not required to honor the request.
  • We always suggest communicating with the other financial institution regardless of the decision to honor the return request.  If you decide to return the entry, you would use the Return Reason Code R06 (Returned per ODFI’s request).

We received an R06 request without an LOI. What does that mean?

  • An ODFI can send an R06 request without first having sent an LOI, however the RDFI is under no obligation to honor the request. If there are funds in the account, you can request that the ODFI send an LOI before completing the return.

We have been contacted by an Originator about an entry (debit or credit) that was sent incorrectly or by mistake. What are our options?

  • First, verify when the entry was sent and what the error was – it may be possible for the Entry to be Reversed if the error was found within five Banking Days of the original Settlement Date and the reason is permitted by the Nacha Rules as indicated in Article Two, Subsections 2.9.1 (General Rule for Reversing Files) and 2.10.1 (General Rule for Reversing Entries).
  • If a Reversal is not permitted, your Financial Institution is allowed to send an R06 (Return per ODFI Request). Generally, the RDFI will require a Letter of Indemnity along with the request. The LOI should include language that you will hold the RDFI harmless in the event that the R06 request was incorrect.


How long does an Originator have to respond to a received NOC?

  • An Originator must make the necessary changes within 6 banking days or prior to the next live Entry, whichever is later.

What do I do if an Originator does not make a change based on an NOC?

  • If multiple NOCs have been sent to an ODFI and the Originator has not made the associated change, it is recommended that the Financial Institution contact the ODFI of the entries to request further action. If the ODFI is unable to, or unwilling, to assist with the issue, a rules violation can be filed.  For information about submitting a rules violation with Nacha, please visit our Report a Rules Violation page.



Are there ACH file formatting requirements for a Reversing File?

  • Yes, the word REVERSAL must appear in the Company Entry Description Field of each Company/Batch Header Record in all capital letters.

What is the time frame for initiating a Reversing File?

  • Initiate the Reversing File so that it can be transmitted or made available to the RDFI(s) within five Banking Days after the Settlement Date for the entries within the duplicate or Erroneous File.

One of my accountholders received a Reversing Entry and the funds aren’t available in the account. Can we return it NSF?

  • Yes, if there are not sufficient funds in the account to cover the Reversal, the Financial Institution can return the Reversing Entry using Return Reason Code R01 (Insufficient Funds).