Corporate User Header Image

Third-Party Sender User

 

Compliance Resources

Third-Party Sender Education

Resources

Tools

FAQ

What am I?

Welcome to EPCOR’s Third-Party Sender User webpage. This page is for organizations participating in the ACH Network as Third-Party Senders and is intended to be a preliminary resource for your ACH compliance needs. Here you will find information and tools to assist you in the determination of your unique ACH Rules compliance obligations, as well as, opportunities to further your understanding through educational courses, ACH Compliance Audits, ACH Risk Assessments and consulting engagements.

Compliance Resources

 

Compliance Resources for Third-Party Senders

EPCOR Can Help You Maintain Compliance and Manage Risk

Third-Party Sender ACH Compliance Audit & Risk Assessment Services

Leverage our payments experts to meet your requirements to conduct an annual ACH Audit and periodic Risk Assessment to gain actionable insight into compliance, efficiency, risk management and more.

Request a Quote

Customizable Third-Party Consulting Services

Our payments experts can help you with understanding your compliance requirements, enhancing your risk management program, increasing efficiencies and more.

Request a Quote

Third-Party Sender ACH Audit & Risk Assessment Workbooks

If you prefer to conduct your own ACH Audit and Risk Assessment, our helpful workbooks will guide you through the process, document your level of compliance and provide a report of findings.

Explore Workbooks

EPCOR Membership for Third-Party Senders

Consider becoming an EPCOR member for ongoing assistance with payments compliance covering all payments channels – not just ACH! Membership includes Members-only pricing for services, access to EPCOR Industry Update webinars, a private Knowledge Community, our toll-free helpline for answers to ongoing payments questions and more!

Explore Membership

 

Third-Party Sender Education

 

NEW Third Party Sender Roles & Responsibilities

Effective September 30, 2022, new ACH Rules address roles and responsibilities of Third-Party Senders, with special attention to nested Third-Party Senders and Third-Party Sender Risk Assessments.

ODFIs and Third-Party Senders will need to work together to:

  • Identify nested Third-Party Sender relationships
  • Ensure that Third-Party Senders (and Nested Third-Party Senders) conduct an ACH Risk Assessment
  • Update policies, processes, procedures and agreements

Quick Tips

 

ACH Authorizations

 

On September 17, 2021, Nacha implemented various ACH Rule amendments designed to improve and simplify the ACH user experience by facilitating the adoption of new technologies and channels for the authorization and initiation of ACH payments. Nacha is hopeful that these amendments will reduce barriers to use the Network, provide clarity and increase consistency around certain ACH authorization processes and reduce certain administrative burdens related to ACH authorizations.

 

Standing Authorization/Subsequent Entry Grid
Standing Authorization Received Via: Originator Receives Subsequent Entries Instructions Via: SEC Code of Subsequent Entry
In writing Internet or Wireless Network PPD or WEB
Telephone (orally over the phone) PPD or TEL
Internet or Wireless Network Internet or Wireless Network WEB
Telephone (orally over the phone) TEL or WEB
Orally Via a Telephone Call Internet or Wireless Network TEL or WEB
Telephone (orally over the phone) TEL
 

Originator Proper Response to a Notification of Change (NOC):

 

It is important for Third-Party Senders to understand their role in the receipt of an NOC that is provided by the ODFI. If the Originator is responsible for making the update to the Receivers account information, the NOC needs to be provided to the Originator in a reasonable amount of time to ensure the Originator meets their responsibilities to make the appropriate change.

An Originator and/or Third-Party Sender must make the changes specified in an NOC or corrected NOC within six Banking Days of receipt of information from the Third-Party Sender or prior to initiating another Entry to the Receiver’s account, whichever is later.

An Originator and/or Third-Party Sender may choose to make changes specified in an NOC or corrected NOC with respect to any ARC, BOC, POP, RCK, Single-Entry TEL or WEB.

For an NOC that is in response to a Prenotification Entry, the Originator or Third-Party Sender must make the changes prior to originating a subsequent Entry to the Receiver’s account if the NOC is received by the ODFI by the opening of business on the second Banking Day following the Settlement Date of the Prenotification Entry.

Resources

 

video

Payments Insider

Payments Insider is a semi-annual e-newsletter designed to inform businesses of all sizes of recent payment systems developments. This newsletter is distributed in the months of April and October.

Read Now

video

Upcoming ACH Rule Changes

 

  • Supplementing Data Security Requirements (Phase 2)
  • Micro-Entries
  • Third-Party Sender Roles and Responsibilities

 

Learn More

video

Did You Know

EPCOR’s Did You Know YouTube Videos are a great way to get current payments information quickly. View the latest videos here.

Watch Now

video

Nacha End-User Resources

Micro-Entries

Download

Reversals

Download

Expanding Same Day ACH Hours

Download

Supplementing Data Security Requirements

Download

Supplementing Fraud Detection Standards for WEB Debits

Download

Documents Resource icon

Documents Resource

This resource will give Third-Party Senders an at-a-glance view of the following:

  • Documentation Retention Schedule
  • Document, presentment and authorization requirements
  • Ineligible source documents

Download

Return Reason Code Resource icon

Return Reason Code Resource

It is essential that an Originator work with the Third-Party Sender in establishing procedures for handling ACH returns. Third-Party Senders should also be aware of the specific return reason codes in order to understand the reason the Entry has been Returned. This resource does not contain all ACH return reason codes but the codes commonly used.

Download

Return Reason Code Resource icon

Synthetic Identity Fraud Mitigation Toolkit

As the threat of synthetic identity fraud continues to grow, the Federal Reserve remains committed to supporting the payments industry in its battle against this type of fraud.

Learn More

Tools (available for purchase):

 

ACH Quick Reference Cards Corporate User

ACH Quick Reference Cards for Corporate Users

This tool is specifically designed for corporate ACH users. This three-card series gives Originators and Third-Party Senders fingertip access to critical information for the correct handling of ACH Returns, Dishonored Returns, Standard Entry Class (SEC) codes, Transaction codes and Notifications of Change (NOC). These colorful and durable desktop reference cards provide ACH basics, including prenotifications, for Originators and Third-Party Senders along with the explanations for Return Reason codes, NOC codes, SEC codes, transaction codes and solutions for handling ACH exception entries.

Purchase Now

2025 ACH Rules Book

Nacha Operating Rules & Guidelines

The Rules include the legal framework for the ACH Network, and the basic obligations of each ACH Network participant. Additionally, the included appendices contain details on Rules enforcement, annual audit requirements, a complete table of return reason codes and formatting specifications. The Guidelines expands on the Rules, providing complete discussions of each ACH Network participant type and its role and responsibilities, detailed overviews of the Standard Entry Class Codes and use-case examples in special topic areas, such as Third-Party Service Providers.

Purchase Now

Third-party Sender ACH Audit Workbook

Third-Party Sender ACH Audit Workbook

Third-Party Senders that perform any functions of an ODFI are required to conduct an annual ACH Rules Compliance Audit. This user-friendly workbook has been updated to incorporate 2022 ACH Rules changes and will walk Third-Party Senders step-by-step through conducting their audit. Audit questions, sample reports and complete worksheets based on the ACH Rules are all included in this helpful tool, making it easy for Third-Party Senders to assess and document their level of compliance.

Purchase Now

video

Third-Party Sender Risk Assessment Workbook

This user-friendly workbook is designed to take Third-Party Senders step-by-step through the ACH risk assessment process. The workbook addresses risk criteria outlined in OCC Bulletin 2006-39, the FFIEC Retail Payments Systems' IT Examination Handbook and FFIEC Guidance to Internet Banking so that your company can identify strengths and weaknesses in your ACH risk management program. Third-Party Senders will find this tool valuable as they work to assess and mitigate ACH risk.

Purchase Now

ODFI Audit Checklists for Originators & TPS

ODFI Audit Checklists for Originators & TPS

This tool contains a series of audit checklists providing an efficient tool for Third-Party Senders to gauge their Originators'/Nested Third-Party Senders' understanding and compliance to the ACH Rules. These checklists can be completed by staff or sent to the Originator and/or Nested Third-Party Sender to complete on its own then return to the Third-Party Sender. Each Audit Checklist is a fillable PDF form for each type of ACH application. Complete or send the forms that are specific to the ACH services your organization originates.

Purchase Now

Third-party Sender ACH Audit Workbook

ACH Quick Reference Guide for Corporate Users

The purpose of the ACH Quick Reference Guide for Corporate Users is to help corporate Originators and Third-Party Senders to comply with the Nacha Operating Rules. It is a summary of those tasks most important to Originating ACH debits and credits. This Guide is not intended to replace the 2022 Nacha Operating Rules but to serve as a resource for corporate Originators and Third-Party Senders to understand their obligations outlined within the 2022 Nacha Operating Rules.

Purchase Now

video

Corporate User Bundle

Bundle the ACH Rules with BOTH Quick Reference Tools to Save an Additional 5%
Each bundle includes the ACH Rules, ACH Quick Reference Guide for Corporate Users and Corporate ACH User Quick Reference Cards. Digital Bundle includes access to ACH Rules Online Resource.

Purchase Now

FAQs

 

Explore our FAQs to get answers to common payment questions. Subsection(s) referenced in the FAQs can be found in the ACH Rules.

ACH Originator Authorizations

Do Originators need to obtain an authorization from a Receiver to originate transactions into the ACH Network?

Generally, an Originator must obtain authorization from the Receiver to originate one or more entries to a Receiver’s account, except for credit entries for which the Originator and Receiver are both natural Persons. (Subsection 2.3.1)

Do authorizations need to be in writing for ACH transactions?

The Originator of a credit entry to a consumer account of the Receiver may obtain the Receiver’s authorization in any manner permitted by applicable legal requirements. (Subsection 2.3.2.1) The Originator of a debit entry to a consumer account of the Receiver must obtain a written authorization that is signed or similarly authenticated by the Receiver. (Subsection 2.3.2.2)

Can authorizations be obtained electronically?

The writing and signature requirements for consumer debit entries may be satisfied by complying with the Electronic Signatures in Global and National Commerce Act (E-sign Act). An electronic authorization must be visually displayed in a manner that enables the consumer to read the communication. (Subsection 2.3.2.3)

At a minimum, what must an authorization for a debit entry to a consumer account of the Receiver include?

  • Language regarding whether the authorization is for a single entry, multiple entries or recurring entries.
  • Amount of entry/entries or a reference to the method of determining the amount.
  • Timing (including start date), number and/or frequency of entries.
  • Receiver’s name or identity.
  • Account to be debited.
  • Date of the Receiver’s authorization; and
  • Language that instructs the Receiver how to revoke the authorization directly with the Originator (including time and way Receiver communication with Originator must occur).
  • For a single-entry scheduled in advance, the right of the Receiver to revoke the authorization must afford the Originator a reasonable opportunity to act on the revocation prior to initiating the entry.

What are the authorization requirements for an oral authorization?

For a single-entry authorized by a Receiver, Originator must make an audio recording of the oral authorization or provide the Receiver with written notice confirming the oral authorization prior to settlement of entry and retain the original or a copy of the written notice confirming oral authorization for two (2) years from date of authorization. For a recurring entry authorized by the Receiver, Originator must comply with the requirements of Regulation E for the authorization of preauthorized transfers, including the requirement to send a copy of the authorization to the Receiver and retain for two (2) years from the termination or revocation of the oral authorization, the original or duplicate audio recording of oral authorization and evidence that a copy of the authorization was provided to the Receiver in compliance with Regulation E. For a standing oral authorization, Originator must make audio recording of oral authorization or provide Receiver with written notice confirming oral authorization prior to settlement of the first subsequent entry and retain the original or duplicate audio recording of oral authorization or the original/copy of the written notice confirming the oral authorization for two (2) years from termination or revocation of standing authorization. (Subsection 2.3.2.4)

Do Originators need to retain copies of authorizations?

Yes, an Originator must retain the original or a copy of each written authorization of a Receiver, or a readily and accurately reproducible record evidencing any other form of authorization. (Subsection 2.3.2.5 (a))

How long must an Originator retain authorizations?

An Originator must retain the original or a copy of each written authorization of a Receiver, or a readily and accurately reproducible record evidencing any other form of authorization, for two (2) years from the termination or revocation of the authorization.

With respect to a standing authorization, Originator must retain original or a copy of each standing authorization for two (2) years following the termination or revocation of the authorization, as well as proof that the Receiver affirmatively initiated each payment in accordance with the terms of the standing authorization for two (2) years following the settlement date of the entry. (Subsection 2.3.2.7)

Do Third-Party Senders have to supply a copy of an authorization to an ODFI?

Upon the request of an ODFI (Originating Depository Financial Institution), a Third-Party Sender must provide the original, copy or other accurate record of the Receiver’s authorization, including, with regard to a standing authorization, evidence of the Receivers affirmative action to initiate a subsequent entry in accordance with the terms of the standing authorization. Third-Party Sender must provide in such time and manner as to enable the ODFI to deliver the authorization to a requesting RDFI (Receiving Depository Financial Institution) within ten (10) banking days. (Subsection 2.3.2.7 2(c)

How does an Originator satisfy the authorization requirement for an ARC (Accounts Receivable Entry) or POP (Point-of-Purchase) entry?

By providing the Receiver with a conspicuous notice including the following or substantially similar language prior to the receipt of an Eligible Source Document (i.e. check):
“When you provide a check as payment, you authorize us either to use information from your check to make a one-time electronic fund transfer from your account or to process the payment as a check transaction.” Copy of notice must be provided to Receiver at the time of transaction. (Subsections 2.5.1.2 and 2.5.10.2)

How does an Originator satisfy the authorization requirement for a BOC (Back Office Conversion Entry) entry?

By providing the Receiver with a conspicuous notice including the following or substantially similar language prior to the receipt of an Eligible Source Document (i.e. check):
“When you provide a check as payment, you authorize us either to use information from your check to make a one-time electronic fund transfer from your account or to process the payment as a check transaction. For inquiries, please call (retailer phone number.)” Copy of notice must be provided to Receiver at the time of transaction. (Subsection 2.5.2.2)

ACH Prenotifications

As an Originator and/or Third-Party Sender, am I required to send a prenotification for an ACH entry prior to initiating the first live entry?

No, according to the ACH Rules you may originate a prenotification entry to a Receiver’s RDFI prior to the first transaction you send. (Subsection 2.6.1)

If an Originator and/or Third-Party Sender decides to send prenotifications, what is the timeframe they have before they can send subsequent entries?

An Originator and/or Third-Party Sender that has originated a prenotification entry may initiate subsequent entries as soon as the third banking day following the settlement date of the prenotification entry, provided the ODFI has not received a return or notification of change related to the prenotification. (Subsection 2.6.2)

Notification of Change

How long does an ODFI have to notify a Third-Party Sender that a Notification of Change (NOC) was received from the RDFI?

An ODFI must provide the Third-Party Sender with the NOC information within 2 banking days of settlement date of the NOC or corrected NOC. (Subsection 2.11.1)

Are Originators and/or Third-Party Senders required to make NOC changes when received from the ODFI?

Yes, an Originator and/or Third-Party Sender must make the changes specified in the NOC or corrected NOC within 6 banking days of notification receipt or prior to initiating another entry, whichever is later.
An Originator and/or Third-Party Sender may choose, at its discretion, to make changes specified in any NOC or corrected NOC received with respect to any ARC, BOC, POP, RCK and Single-Entry TEL or WEB.
For an NOC received in response to a prenotification, the Originator and/or Third-Party Sender must make the changes prior to originating a subsequent entry if the NOC is received by the ODFI by the opening of business on the 2nd banking day following the settlement date of the prenotification. (Subsection 2.11.1)

ACH Returns

How long does a business have to return an ACH transaction that is unauthorized?

It is important for businesses to watch their accounts closely as the RDFI has only 2 banking days from settlement date to return CCD and CTX transactions that post to a non-consumer account. The RDFI may request a copy of the authorization for the transaction and ask the ODFI to accept a late return but the ODFI is not required to take a late return. This would only be an attempt to the recover the money. The Originator and Receiver may also deal directly with one another to resolve the issue.

An Originator and/or Third-Party Sender is notified that an ACH transaction they originated has been returned R10. What does this mean for the Originator or Third-Party Sender?

This means the Receiver did not know the identity of the Originator or Third-Party Sender, had no relationship with the Originator or Third-Party Sender or did not authorize the Originator or Third-Party Sender to debit their account. For an ARC or BOC entry it means the signature on the source document (check) is not authentic, valid or authorized. For a POP entry it means the signature on the written authorization is not authentic, valid or authorized.

If an Originator has a valid authorization on file and receives an R10 return, can they reinitiate the entry?

If a consumer Receiver completes a Written Statement of Unauthorized Debit form, the RDFI may return a consumer transaction within 60 calendar days. The Originator or Third-Party Sender must not reinitiate the entry. The Originator can settle the matter with the consumer outside of the ACH Network or gain a new authorization and send another transaction through.

An Originator and/or Third-Party Sender is notified that an ACH transaction they originated has been returned R11. What does this mean for the Originator or Third-Party Sender?

This means the Receiver has a relationship and authorization for a debit with the Originator or Third-Party Sender, however; an error in the payment exists such that the entry does not conform to the terms of the authorization obtained from the Receiver. For example, the entry is for a different amount than authorized, the entry was initiated for settlement earlier than authorized, the entry is part of an incomplete transaction, the debit entry was improperly reinitiated and for an ARC, BOC or POP entry, the source document was ineligible, notice was not provided or the amount was not accurately obtained from the source document. It could also mean that a reversing entry was improperly initiated or the Receiver did not affirmatively initiate a subsequent entry in accordance with the terms of a standing authorization.

Is an Originator and/or Third-Party Sender allowed to reinitiate an ACH transaction that has been returned R11?

An R11 return does not require a new authorization, however; an Originator or Third-Party Sender may reinitiate an R11 return entry (other than an ARC, BOC, or POP) if the Originator or Third-Party Sender transmits a new entry that conforms to the terms of the original authorization.

ACH Origination

Why is it important for an Originator and/or Third-Party Sender to utilize the proper SEC (Standard Entry Class Code) code when originating transactions into the ACH Network.

Utilizing the proper SEC code is paramount for several reasons:
  • Returns are based on SEC code. For example, a business originates a debit to another business for supplies they have shipped, and they use the PPD code. This transaction should be coded as a CCD. Since the PPD code was utilized, the business Receiver of the transaction now has 60 days to dispute the transaction as unauthorized versus the 2 days for a CCD transaction.
  • There are different authorization requirements depending on the SEC code. Utilizing the correct SEC code for a transaction tells the RDFI what type of authorization was obtained.
  • When your company signed an ODFI/Third-Party Sender agreement you agreed to originate certain SEC codes based on that agreement.

Reversing Entries (Section 2.9)

How must an Originator and/or Third-Party Sender initiate a proper Reversing Entry?

An Originator and/or Third-Party Sender may initiate a reversing entry to correct an erroneous entry previously initiated to a Receiver’s account. An authorization is not required for a reversal entry if all the requirements of Section 2.9 of the ACH Rules are followed.

Appropriate Reason to Send a Reversal (Subsection 2.9.1)

Must Not Use Reversal Process (Subsection 2.9.5)
Duplicate file or entry Failed to fund entry*
  • Originator
  • Third-Party Sender
Payment in wrong amount Outside of 5 banking days of Settlement Date of erroneous entry
Payment destined to wrong Receiver *Effective 6-30-21
Employee received both a separation check and a direct deposit
Error in Effective entry date*

For each reversing entry, the content of the following fields must remain unchanged from the original, erroneous entry to which the Reversal relates:

  • Standard Entry Class Code
  • Company Identification/Originator Identification; and
  • Amount

The description “REVERSAL” must replace the original content of the Company Entry Description field within the file format transmitted in the original batch, including content otherwise required by the ACH Rules.

If you have a suggestion to improve this page, we would love to hear it. Please complete this form and share your great idea!

Have Ideas?

Not an EPCOR Member? Join today and experience our commitment to providing reliable, timely and accurate payments and risk management education, information, support and national industry representation.

Join Now