If you move money with ACH, you’ve probably noticed that authorization rules aren’t one-size- fits-all. The way you collect a customer’s permission changes with the SEC code you use—and those three letters decide what proof you must keep on file. This guide walks through the codes you’ll see most often, why they matter for compliance, and how the Liftoff ACH Platform keeps everything tidy without slowing your operation.
The cast of characters (quickly)
ACH is governed by NACHA, which sets the rules for how funds move between banks. Your bank (or your processor’s bank) that originates the entry is called the ODFI. The customer’s bank that receives it is the RDFI. You, the business, are the Originator; your customer is the Receiver. Each debit or credit you send becomes an ACH Entry. From there, SEC codes tag the entry based on how and where the customer authorized it.
How SEC codes frame authorization
SEC codes are shorthand for the permission path. Here are the four you’ll run into most in everyday operations:
PPD — written consumer authorization
Prearranged Payment and Deposit (PPD) cover consumer payments where you’ve obtained written authorization—think gym memberships, daycare tuition, utility bills, or direct deposit. You can use PPD for one time or recurring debits and credits. To be NACHA-compliant, the authorization must be clearly labeled as ACH authorization, written in plain terms, allow the consumer to revoke as specified, and be signed or similarly authenticated.
TEL — authorization by phone
Telephone-Initiated Entry (TEL) covers consumer payments authorized over the phone. Because this is oral authorization, you’ll either record the call (with notice and consent) or send written confirmation before settlement. During the call, you must clearly disclose: the debit date (and schedule if recurring), the amount, consumer name, the account to be debited, a working customer-service phone number, the date of authorization, and a statement that the authorization will be used to originate an ACH debit. If it’s recurring, explain how revocation works.
WEB — consumer authorization online or in-app
Internet-Initiated/Mobile Entry (WEB) applies to consumer debits authorized online. The customer must sign or similarly authenticate the authorization electronically; the language should be clearly labeled as an ACH debit authorization and describe how to revoke. In practice, you’ll want evidence like timestamps, login/account identifiers, IP/ device fingerprints (where appropriate), a snapshot of the authorization text presented at checkout, and records tying the authorization to the goods/services. Refunds of prior WEB debits are typically sent as PPD credits.
CCD — business-to-business (B2B)
Corporate Credit or Debit (CCD) covers transfers between businesses —for example, paying a vendor or collecting from a commercial tenant. CCD entries can be one-time or recurring. For debits, maintain an agreement between the parties (written authorization is implied by the agreement), make terms clear, allow revocation per the contract, and ensure the signer is an authorized representative of the company.
Why SEC codes matter more than labels
NACHA requires explicit authorization for every debit. If there’s a dispute, you’ll be asked to show evidence that the consumer or company agreed to the specific debit and its terms. Using the right SEC code does two things: it tells you which proof to keep, and it reduces risk of returns, chargebacks, and network violations. Put plainly: proper SEC usage is both compliance and revenue protection.
Practical examples (how merchants apply this)
· A fitness studio signs customers up with a PPD authorization form during onboarding.
· A collections team accepts repayment over the phone using TEL, recording the call and sending confirmation.
· An online lender or subscription business accepts payments via a WEB checkout, storing the presented authorization text, timestamp, and account consent trail.
· A property manager invoices a corporate tenant via CCD, backed by the lease/payment agreement.
Making compliance easy with Liftoff ACH Platform
The Liftoff ACH Platform is designed so operators don’t have to memorize rulebooks. In our dashboard and API:
· Choose (or auto-default) the correct SEC code per flow—PPD, TEL, WEB, or CCD.
· Use built-in, human-readable authorization templates for each code.
· Capture and store evidence automatically (timestamps, consent artifacts, authorization snapshots) to support audits and reduce return risk.
· Manage one-time and recurring schedules with consistent records across all codes.
· Pair with RTP funding and same-day ACH where applicable to align collection timing and cash flow.
If you’re expanding into new channels (phone + web + in-person) or adding B2B billing, Liftoff lets you mix SEC codes safely, with clear audit trails for each transaction you originate.
Final thought
SEC codes are simply the map from how you obtained permission to what you must keep on file. When you get that right, disputes shrink, returns drop, and finance stays calm. If you want an ACH stack that bakes in the right rules from day one—and gives your team clean, exportable records—Liftoff ACH Platform is your shortcut.