Collecting via ACH is low-cost and scalable—but only if you nail compliance. This practical guide covers the must-haves for lenders/MCA providers: correct SEC codes, clear authorizations, ESIGN/UETA, revocation and retention rules, account validation, OFAC/ KYB/KYC, and return-code handling. We’ll also show how Liftoff Platform bakes these controls into your day-to-day, so you can reduce NSFs, avoid “not authorized” disputes, and stay audit ready.
Not legal advice—confirm specifics with your ODFI/processor and counsel.
Why ACH compliance matters for lenders
· Fewer disputes & returns: Proper mandates and notices cut R07/R08/R10/R29 (“not authorized/stop”) and R03/R04 (bad data).
· Audit readiness: Clean ESIGN records, timestamps, and retention make bank reviews painless.
· Predictable cash flow: Clear schedules + pre-debit reminders = fewer NSFs and better on-time rates.
· Lower total cost: Avoid fees, reattempts, and manual cleanup work.
The core building blocks
1) Pick the right SEC code (match the consent flow)
· PPD – Consumer, written/electronic authorization (in-person/email).
· WEB – Consumer, internet-initiated; requires web consent + online fraud controls.
· TEL – Consumer, telephone-initiated; recorded consent + confirmation/script.
· CCD – Corporate debit/credit (B2B).
· CTX – Corporate with addenda (rich remittance).
Use the code that reflects how you captured consent—not just who you’re charging.
2) Authorization (mandate) essentials
· Your ACH authorization should clearly state:
· Parties (lender + customer) and contact info.
· Bank details (routing, account #, account type).
· Transaction type (one-time vs. recurring), start date, frequency.
· Amount (fixed) or variable amount with advance-notice policy (commonly 10 days).
· How to revoke (method + timing, e.g., ≥3 business days before next debit).
· Explicit consent to debit via ACH and acknowledgment of rights.
· Signature & date (e-signature allowed with ESIGN/UETA).
· Retention: keep the authorization (and changes) for 2 years after termination.
3) ESIGN/UETA + disclosure hygiene
· Present terms clearly, gain affirmative consent to electronic records, and timestamp the agreement.
· For TEL, record the call or send a compliant written confirmation.
4) Identity, sanctions, and account checks
· KYB/KYC & OFAC screening for business/owners before first movement of funds.
· Account validation (instant + micro-deposit fallback) to catch R02/R03/R04 upfront.
5) Notices & reminders
Send pre-debit reminders (e.g., T-72h/T-24h) and change notices for variable amounts or schedule changes.
6) Data security & access
Encrypt at rest/in transit, restrict access to PII, log all access and changes, and keep immutable audit trails.
Return-code policy (what to retry—and what not to)
· Retry-eligible once (timed to deposits):
◦ R01/R09 (NSF/Uncollected)—one intelligent retry aligned to payroll/posting windows.
· Fix before any retry:
◦ R02/R03/R04/R13 (account/routing issues) → correct data or re-authorize.
· Do not retry without new consent:
◦ R07/R08/R10/R29 (revoked/stop/not authorized). Obtain a fresh authorization first.
Log actions + reasons for every exception; auditors love clear trails.
Operating playbook for compliant ACH collections
1. At onboarding
◦ Select correct SEC code, capture ESIGN consent, and validate the account.
◦ Run KYB/KYC + OFAC; store artifacts with timestamps.
2. Set the schedule
◦ Let customers choose a due day; document variable-amount notice terms.
◦ For recurring plans, present a clear summary (amount/frequency/start).
3. Communicate
◦ Send pre-debit reminders with easy actions: pay now, reschedule, update method.
◦ Issue change notices when amounts or dates shift.
4. Handle failures cleanly
◦ Apply return-code rules; only retry R01/R09 once, never retry “not authorized/ stop” without new consent.
◦ Offer self-serve updates for bank/card details.
5. Retain & reconcile
◦ Keep the mandate + change history for at least 2 years post-termination.
◦ Push events to GL/ERP/CRM via webhooks; send receipts automatically.
Compliance checklist (print this)
· SEC code matches the consent flow (PPD/WEB/TEL/CCD/CTX)
· Plain-language authorization, schedule, amount/notice, revocation path
· ESIGN consent captured and timestamped; TEL calls recorded or confirmed
· KYB/KYC + OFAC screening completed, artifacts stored
· Account validated (instant + micro-deposit fallback)
· Pre-debit reminders enabled; change notices for variable amounts
· Return-code rules enforced (no unauthorized retries)
· Encryption, access controls, immutable audit logs
· Mandate retention policy (≥2 years after termination)
· Audit retrieval SLA documented (who pulls what, how fast)
How Liftoff Platform makes ACH compliance easier
· Built-in authorizations & ESIGN: Mobile-first forms for PPD/WEB/TEL/CCD/CTX with timestamps and versioned terms.
· KYB/KYC & OFAC baked in: Screen businesses, owners, and signers; store clearance logs.
· Account validation: Instant verification + micro-deposit fallback to prevent data-error returns.
· Pre-debit reminders & dunning: Automated nudges, one-tap payment links, and
· intelligent retries aligned to deposit windows.
· Return-code automation: Policy-driven actions (retry/block/escalate) and never auto retry unauthorized/stop codes.
· Retention & audit: Mandates, artifacts, and event logs are searchable and exportable for bank reviews.
· $0 ACH pulls & $0 debit: Run collections and invoice payments at near-zero per transaction cost; RTP available for instant credits/refunds.
· Portal + API + webhooks: Launch fast, integrate deeply, and auto-reconcile to your GL/ ERP/CRM.
Summary
ACH collections in lending are straightforward when compliance comes first: correct SEC codes, clear authorizations with ESIGN, robust KYB/KYC & OFAC, account validation, reminders, and return-aware retries. Do that, and you’ll lower disputes, trim NSFs, and pass audits without drama. Liftoff wraps these controls into your daily operations—authorizations, validation, reminders, return-code automation, audit trails, and zero-fee rails—so you stay compliant while improving cash flow.
FAQs
Do I need a new mandate if the amount changes?
If amounts are variable, your authorization must state a notice policy (commonly 10 days). If terms change materially beyond what the customer agreed to, provide a change notice and, if required by your terms, capture new consent.
How long do I keep authorizations?
Retain the mandate (and changes/cancellations) for 2 years after termination and be able to retrieve it promptly for audits.
Can I use e-signatures for ACH consent?
Yes—ESIGN/UETA apply. Capture affirmative consent to electronic records and timestamp the acceptance.
What should I never retry?
Never retry R07/R08/R10/R29 (revoked/stop/not authorized) without new authorization. Fix data issues (R02/R03/R04) before any resubmission.
How do I reduce NSF returns?
Validate accounts up front, send pre-debit reminders, and attempt one timed retry for R01/R09 at predicted deposit windows. Let customers pick due dates to match cash flow.