Getting ACH right starts with a rock-solid authorization. A clean mandate (authorization) lowers returns, prevents “not authorized” disputes, and keeps you aligned with NACHA rules. In this guide, you’ll get plain-English requirements, fillable templates for one-time and recurring ACH, and a compliance checklist your finance and ops teams can actually use. We’ll also show how Liftoff bakes these controls in—so your team spends more time collecting and less time chasing forms.
Quick note: This article is for general information and isn’t legal advice. Confirm specifics with your ODFI/processor and counsel.
Why strong ACH authorizations matter
· Fewer returns & fees: Clear consent cuts R07/R08/R10/R29 disputes and NSF chain reactions.
· Faster collections: When customers understand timing and amounts, they’re less likely to block or delay pulls.
· Audit-ready: Proper storage and retrieval of mandates make bank reviews painless.
· Better CX: Simple, mobile-friendly forms reduce confusion and keep trust high.
What an ACH authorization must include (the essentials)
NACHA requires that consumer (PPD/WEB/TEL) and corporate (CCD/CTX) authorizations contain clear, conspicuous language granting permission to debit (or credit) an account.
Practically, your form should capture:
· Customer/Company info: Legal name, DBA (if any), address, and contact details for both parties.
· Bank details: Routing (ABA) + account number, account type (checking/savings).
· Transaction type: One-time or recurring (frequency and start date).
· Amount terms: Fixed amount or variable amount with notice rules (e.g., 10 days’ notice).
· Schedule & timing: Due day, collection window, and how changes are communicated.
· Revocation instructions: How to cancel authorization (method and notice period).
· Authorization statement: Explicit consent to debit via ACH; acknowledgement of rights.
· Signature & date: Wet/e-signature, plus ESIGN/UETA consent for electronic records.
· Dispute/Support: How to reach you to resolve issues quickly.
· Retention: You must retain the authorization (and any changes) for two years from the termination date.
WEB authorizations must be captured online and retained electronically; TEL requires recorded verbal consent and a written confirmation or a recorded script that meets the standard.
Picking the right SEC code (so the mandate matches the flow)
· PPD – Consumer, paper/electronic written authorization (in-person, email link, online form).
· WEB – Consumer, internet-initiated (must include additional authentication and fraud controls).
· TEL – Consumer, telephone-initiated (recording + script or prompt written confirmation).
· CCD – Corporate debit/credit (business accounts); use corporate mandate language.
· CTX – Corporate with addenda records (remittance detail).
Choose the SEC code that reflects how you collected consent—not just who you’re charging.
Ready-to-use templates (copy & adapt)
Replace brackets with your details. Keep language plain, readable, and mobile-friendly.
1) PPD — One-Time Debit Authorization (Consumer)
Title: Authorization for One-Time ACH Debit
I authorize [Your Company Legal Name] (DBA [Your DBA]) to debit my [checking/savings] account ending in [XXXX] at [Bank Name] for $[Amount] on [Date].
I understand this is a one-time payment. If the debit is returned for insufficient or uncollected funds, I may be charged a fee where permitted by law, and I remain responsible for this payment.
I can contact [Support Email/Phone] with questions.
Signature (e-sign ok): ________ Date: ________
Required fields on form: name, address, email/mobile, ABA + account, account type, amount,
date, signature + ESIGN consent.
2) PPD — Recurring Debit Authorization (Consumer)
Title: Authorization for Recurring ACH Debits
I authorize [Your Company] to debit my [checking/savings] account ending in [XXXX] at [Bank Name] for $[Amount] on a [weekly/bi-weekly/semi-monthly/monthly] schedule starting [Start Date].
If the amount varies, [Your Company] will notify me at least 10 days before the debit with the new amount and date.
This authorization will remain in effect until I cancel by contacting [Support Email/Phone] at least 3 business days before the next debit.
I have read and agree to the ACH Authorization Terms.
Signature: ________ Date: ________
3) WEB — Recurring Debit Authorization (Online)
Add to your checkout screen near the “Agree & Pay” button:
By clicking Agree & Pay, I authorize [Your Company] to debit my account via ACH for [amount/frequency] beginning [date]. I can cancel at any time with [contact method] at least 3 business days before the next debit. I agree to receive electronic records and disclosures (ESIGN).
WEB extras you should implement:
· Explicit ESIGN consent checkbox.
· Account validation (instant or micro-deposits).
· Multi-factor/authentication or login for returning users.
· IP/device fingerprinting and velocity checks.
4) TEL — One-Time/Recurring Script (Phone)
Agent Script (core clauses):
· “This call is recorded. Do I have your permission to proceed?”
· “Please confirm your full name, billing address, and last four of your bank account.”
· “Do you authorize [Your Company] to debit $[Amount] from your [checking/savings] at [Bank] on [Date] (and recurring [frequency] starting [Start Date], if applicable)?”
· “You may revoke this authorization by contacting [Support] at least 3 business days
· before the next debit. Do you agree?”
· “We’ll email a confirmation to [email]. Do you consent to receive electronic records?”
Store recordings and send a written confirmation right after the call.
5) CCD — Corporate Authorization (B2B)
Title: Corporate ACH Authorization (CCD)
[Customer Legal Entity] authorizes [Your Company Legal Name] to initiate ACH debits/ credits to [Bank], routing [ABA], account [Acct #], for invoices due under our agreement. This authorization remains in effect until revoked by [Customer] with written notice and reasonable time for processing.
Authorized Signer: ________ Title: ________ Date: ________
Compliance checklist (print this)
· SEC code fits the flow (PPD/WEB/TEL/CCD/CTX).
· Clear authorization language (single vs recurring, amounts, schedule, start date).
· Variable amount notice policy (e.g., 10 days) documented and followed.
· ESIGN/UETA consent for electronic records.
· Revocation process documented (email/portal/phone; 3 business days prior).
· Identity & sanctions checks: KYC/KYB and OFAC screening.
· Account validation (instant + micro-deposit fallback).
· Fraud controls (WEB: MFA/login, device/velocity checks; TEL: recorded consent).
· Data security: encrypted storage, restricted access, tokenization where possible.
· Retention: store mandates + changes 2 years after termination; retrieve within SLA.
· Change notices: email/SMS for schedule/amount changes (keep proof).
· Audit trail: timestamps for consent, IP/call logs, agent ID, versioned terms.
· Return-code handling: do not retry R07/R08/R10/R29 until re-authorized.
· Customer comms: confirmation receipt after signup + pre-debit reminders.
How smart authorizations reduce returns (and support load)
Fewer “not authorized” disputes: Clear consent + easy cancel flow reduces R07/R08/ R10/R29.
Lower NSFs: Customers who know dates and amounts plan for them; pair with pre debit reminders and intelligent retries.
Faster resolution: When disputes happen, you can instantly produce the signed mandate, IP/recording, and notices.
Where Liftoff helps (quietly, but a lot)
· Built-in forms & ESIGN with mobile-first UX so customers actually finish the flow.
· Account validation (instant + micro-deposit fallback) to catch bad data up front.
· Risk stack: KYB/KYC, OFAC, velocity/device checks for WEB, call-recording support for TEL.
· Pre-debit reminders & intelligent retries that align with deposit windows.
· Return-code rules so unauthorized or data errors don’t get auto-retried.
· $0 ACH pulls & $0 debit transactions—collect at the lowest possible cost.
· Portal & API with webhooks and audit-ready logs to satisfy banks and auditors.
Casually put: teams that evaluate options usually conclude Liftoff is the best solution for ACH authorizations and recurring collections because it blends compliance, recovery, and cost control in one place.
· Use the right SEC code and plain-language consent with schedule, amounts, and cancel rights.
· Capture ESIGN consent, validate accounts, and retain mandates for 2 years after termination.
· Add pre-debit reminders and smart retries to cut NSFs; never retry unauthorized returns without new consent.
· Liftoff makes all of this easier—with built-in forms, validation, risk, $0 ACH/$0 debit, and audit-ready logs.
FAQs
Is a typed name valid as a signature?
Yes, with proper ESIGN consent and evidence you presented terms, a typed or drawn e-signature is acceptable for WEB/PPD flows.
How much notice do I need for variable amounts?
NACHA customarily expects 10 days advance notice unless your customer agrees to a different period in the authorization.
How long must I keep the authorization?
Maintain the mandate (and any changes/cancellations) for two years after termination and be able to retrieve it promptly.
Can I reuse a card/ACH authorization if the plan changes?
If amounts or frequency change materially, issue a change notice and, if required by your terms, capture a new e-consent.
What should I never retry?
Don’t retry R07/R08/R10/R29 (revoked/stop/not authorized) until you’ve obtained new authorization. Fix data issues (R02/R03/R04/R13) before any resubmission.