Audit Services

ACH Audits


Every financial institution that originates and/or receives ACH entries is required to complete an audit of compliance in accordance with the NACHA Operating Rules each year by December 31st. In addition, Third-Party Service Providers and Third-Party Senders are also required to complete an ACH Audit.

Let the professionals at UMACHA assist with your yearly audit. We will come to your organization’s designated location and review your policies, procedures and a sampling of transactions and exception entries to ensure compliance with the Rules. A primary focus of this service revolves around helping you understand what needs to be done based on the ACH Rules and why. We have the tools, expertise, and knowledge to help you improve all aspects of your ACH program. 

We can also conduct your audit remotely. To get more information and see if you meet the qualifications for a remote audit, please contact one of our Associate Directors of Compliance Services.

Want to complete your audit internally? Order our ACH Audit Guide on CD and then make sure to fill out the ACH Audit Completion Form.

An outside party may also complete your audit each year.

Enhancements to your ACH Risk Management Program

To assist your internal auditor with completing a thorough review of your risks and controls, or to help your staff implement an ACH Risk Management Program, UMACHA offers consulting services and provides several webinars and in-person workshops. throughout the year. UMACHA has also published resources to help your organization prepare for and/or complete your next ACH Risk Assessment.


ACH Compliance FAQs


Our Financial Institution has received notice that our customer/member has passed. The account is solely owned and we have not had any contact with the Executor of the Will. Should we return all incoming transactions?
First, always check the account for Federal Government Benefit Payments that are subject to Reclamation and were deposited into the account after the date of death; those payments should be returned as soon as possible with the R15 (Beneficiary or Accountholder Deceased) Return Reason Code. If there are other incoming debits and credits, generally UMACHA recommends allowing the Entries to post unless the account were to become overdrawn; or until you are advised otherwise by the executor.

Our customer/member received a Social Security payment on the same day that the person passed away, is this a payment that should be returned?
No, the accountholder is entitled to keep any Federal Government Benefit payment that has a settlement date on, or before their date of death. However; a Federal Government Benefit payment that is received after their date of death should be returned in order to limit the Financial Institution’s liability.

I received a reclamation from the State of MN, is it subject to the rules in the Green Book?
No, only certain types of Federal Government payments are subject to the rules of the Green Book.  You can find a list of payments subject to reclamation in the Green Book, Chapter 5 (Reclamations), page 5-4.

The family of the deceased customer is asking the Financial Institution to refrain from sending back a government payment that is subject to reclamation.  Should the Financial Institution honor the family’s request?
If the beneficiary of the payment was alive on the day the payment settled, it is not subject to reclamation.  However; if the beneficiary passed away prior to receiving the payment, you are required to return it, otherwise it will be subject to reclamation.  You can reference the Green Book, Chapter 5 (Reclamations), page 5-10.

We received a reclamation, but the Financial Institution does not have the entire amount left in the account.  How should the partial payment be returned?
Follow the instructions listed on the Reclamation, and return the partial payment outside of the ACH network.  You can also reference the Green Book, Chapter 5 (Reclamations), page 5-16.


I have a corporate customer who is disputing a transaction that came into their account a month ago. The debit came in with a consumer SEC Code (PPD, WEB, TEL, etc), is there any way to return this transaction?
Yes. If a debit to a corporate account has a consumer type SEC Code (PPD, WEB, TEL, etc.), the customer can sign a WSUD Form and the Financial Institution has 60 days from the settlement date to return the debit once the WSUD is signed.

Can I have a customer E-Sign a Written Statement of Unauthorized Debit?
Yes. There are a few additional requirements to be compliant with the E-sign Act such as encryption, identity verification and record storage, but a WSUD is valid with an E-Signature that follows these requirements.

I have a customer who is stating that a credit transaction is unauthorized/wrongly posted to the account, should I fill out a WSUD and return this R10?
No, for an unauthorized or incorrect credit the proper Return Reason Code is R23 (Credit Refused by Receiver). This return does not require a WSUD Form.  However, UMACHA always recommends documenting the reason for the return. In our Knowledge Center there is a free copy of a Credit Refused by Receiver Form that our members may use at any time.

When should I request that my customer fill out a Stop Pay Form versus a Written Statement of Unauthorized Debit Form?
A Stop Pay is proactive – if the customer requests a return before the item hard-posts (you can use a Stop Pay Form and Return for an Entry in memo-post). A WSUD is reactive – the debit has already posted the customer is disputing the item.

I have a consumer customer claiming a debit entry is unauthorized but the SEC Code is CCD, how should this item be returned?
If the account is a consumer account the consumer always gets the 60 days from Settlement Date of the Original entry to return an unauthorized entry, even if the SEC Code is a CCD. The return reason code is R05 – Unauthorized Corporate Entry to Consumer Account. This return reason will make sure the return is not auto-rejected as untimely.

I have a corporate customer who is disputing a CCD or CTX entry as unauthorized, can this be returned with a WSUD?
No. A WSUD Form is only for consumers.  However, it is possible to return an unauthorized corporate debit if the return is completed, and made available to the ODFI by opening of business on the second Banking day following the Settlement date. The return reason code must be R29 – Corporate Customer Advises Not Authorized. A signed form is not required, but is encouraged as good business practice. UMACHA has a Corporate ACH Debit Entry Return Form available that is free for members.


I just received a Letter of Indemnity, what do I do next?
A Letter of Indemnity is a request in which the ODFI is asking the RDFI to return a payment the RDFI received, generally a credit transaction. First, verify whether there is enough money in the account to send the return.  if the funds are not available you are not required to complete the return.

You never have to take a loss for a Return per the ODFI’s request. If there is enough money in the account, you will need to make a business decision. It is good to honor such requests if possible.  However, if you are concerned that your customer/member’s account will be negatively affected, you are not required to honor the request.

We always suggest you communicate to the other Financial institution whether or not you are going to honor the return request.  If you decide to return the Entry, you would use the Return Reason Code R06 – Returned per ODFI’s request.

I received an R06 request without a Letter of Indemnity, what does that mean?
An ODFI can do an R06 request without a Letter of Indemnity, however the RDFI is under no obligation to honor the request. If there are funds in the account, you request that the ODFI send a Letter of Indemnity before completing the Return.

I have been contacted by my Originator about an Entry (debit or credit) that was sent incorrectly or by mistake; what are my options?
First verify when the entry was sent – it may be possible for the entry to be Reversed if the error was found within 5 Banking Days of the original settlement date.

If a reversal is not possible your Financial Institution is allowed to send an R06 – Return per ODFI Request. Generally, the RDFI will require a Letter of Indemnity along with the request. This Letter should include language that you will hold the RDFI harmless in the event that the R06 request was incorrect.

Name Mismatch
Our frontline staff has discovered that a recurring transaction posting to a customer’s account has a different receiver listed than what is on the account.

 If it is a Federal Government payment, it should be returned.  If it is a tax credit and you feel it may be fraud, return R17 after opting in to The IRS and State Tax Refund Return Opt-In Program. 

If it is neither a Federal Government payment or a tax refund, the RDFI is only required to post transactions based on account and routing number.  The payment should not be returned, unless it is unauthorized, the customer requests the return, it is within the return timeframe, and proper procedures are followed according to The Rules.


How long does an Originator have to respond to a received NOC?

An Originator must make the necessary changes within 6 business days or the next live Entry, whichever is later.

How to File a Rules Violation


Are there file format requirements for a file reversal?
Yes, place the word REVERSAL in the Company Entry Description Field of each Company/Batch Header Record

What is the time frame for initiating a reversing file?
Initiate the reversing file so that it can be transmitted or made available to the RDFI(s) within 5 banking days after the Settlement Date for the entries within the duplicate or erroneous file.

One of my customers received a Reversing Entry and the funds aren’t available in the account, can I return it NSF?

Yes, if there are not sufficient funds in the account to cover the Reversal you can return the reversing entry as NSF.