Skip to main content

Bank Transfers & ACH

TL;DR
  • ACH costs $0.20-$1.00 per transaction, settles T+1-2 (Same Day ACH available)
  • ACH returns are the "chargeback equivalent" - 60 days for unauthorized (R10/R29)
  • Same Day ACH limit: $1M per transaction (as of 2024)
  • SEPA Direct Debit (EU) has 8-week no-questions-asked refund right for consumers
  • Checks still exist in US B2B; convert to ACH via Check 21 / Remote Deposit Capture

ACH is the backbone of American payments. Direct deposit of your paycheck? ACH. Utility bill auto-pay? ACH. Rent payment? Probably ACH.

In 2024, the ACH Network processed 33.6 billion payments valued at $86.2 trillion. That's "trillion" with a T.

How ACH Works

ACH is a batch-based system. Unlike cards (which authorize in real-time), ACH transactions are collected throughout the day and processed in batches.

The Players

  • Originator: The entity initiating the payment (could be sender or receiver)
  • ODFI: Originating Depository Financial Institution (the originator's bank)
  • ACH Operator: The Fed or The Clearing House, which routes the transaction
  • RDFI: Receiving Depository Financial Institution (the receiver's bank)
  • Receiver: The entity receiving the payment

ACH Credits vs Debits

ACH Credit (Push): You send money to someone else. Examples: payroll, vendor payments, tax refunds. You initiate; money flows from your account to theirs.

ACH Debit (Pull): You authorize someone to take money from your account. Examples: utility bills, subscription payments, rent. They initiate; money flows from your account to theirs.

This distinction matters for fraud. ACH debits require authorization from the account holder. If you process unauthorized debits, you're exposed to returns and potential NACHA violations.

ACH Timing

Traditional ACH settles in 1-2 business days. Same Day ACH, introduced in 2016, settles the same business day if submitted before cutoff times.

Same Day ACH Settlement Windows (All Times Eastern)

  • Window 1: Submission by 10:30am, settlement at 1:00pm
  • Window 2: Submission by 2:45pm, settlement at 5:00pm
  • Window 3: Submission by 4:45pm, settlement at 6:00pm

Same Day ACH Limits

  • Current limit: $1 million per transaction (as of March 2022)
  • Proposed increase: Nacha is considering raising to $10 million
  • No limit on aggregate batch size

Why ACH Is Slower Than Cards

Cards use real-time authorization and batch settlement. ACH batches both. The ODFI collects transactions, sends them to the operator, the operator sorts and distributes to RDFIs, and RDFIs post to accounts. This batch process takes time.

ACH Costs

ACH is dramatically cheaper than cards.

Transaction TypeTypical Cost
ACH Credit$0.20-$0.50 per transaction
ACH Debit$0.20-$1.00 per transaction
Same Day ACHAdditional $0.10-$0.50 premium

Compare that to credit cards at 2.5-3.5%. For a $1,000 B2B payment, you might pay $0.50 via ACH versus $25+ via credit card.

ACH Returns

ACH transactions can be returned for various reasons. Common return codes:

CodeMeaningImplication
R01Insufficient FundsMost common. Retry or contact customer.
R02Account ClosedFind alternate payment method.
R03No Account/Unable to LocateBad account number. Verify with customer.
R10Customer Advises UnauthorizedPotential fraud. Investigation required.
R29Corporate Customer Advises Not AuthorizedB2B equivalent of R10. Serious.

Return Timeframes

  • Most returns: 2 business days
  • Unauthorized returns (R10, R29): Up to 60 calendar days

This extended return window is the ACH equivalent of chargebacks. If you process an unauthorized debit, the customer has 60 days to dispute it.

When to Use ACH

ACH Is Ideal For

  • Recurring payments (subscriptions, memberships, rent)
  • B2B payments (vendor invoices, supplier payments)
  • Large-value transactions where card fees would be prohibitive
  • Payroll and disbursements

ACH Is Less Ideal For

  • Point-of-sale retail (too slow)
  • E-commerce where instant confirmation matters
  • Customers who don't want to share bank account info
  • International payments (ACH is US domestic only)

ACH Fraud Considerations

ACH fraud looks different from card fraud.

Account takeover: Fraudster gains access to legitimate account credentials and initiates unauthorized debits or redirects credits.

Business email compromise: Fraudster impersonates vendor or executive, provides fraudulent bank account for payment. You send ACH credit to wrong account.

Unauthorized debits: Fraudster originates debits without valid authorization. When caught, transactions return as R10/R29.

From an issuer perspective, we see ACH fraud clusters differently than card fraud. It's often targeted at specific companies rather than broad attacks. A fraudster might compromise one payroll system and redirect hundreds of direct deposits.

ACH Fraud Typologies

Understanding how ACH fraud manifests helps you build better defenses.

Fraud TypeHow It WorksDetection Signals
Account Takeover (ATO)Fraudster gains legitimate credentialsUnusual login location, device change, sudden payout changes
New Account FraudFraudster opens account with stolen/fake identityVelocity of account creation, identity mismatch signals
Business Email CompromiseImpersonate vendor, change bank detailsRecent bank info change, email domain spoofing, urgency
Authorized Push Payment (APP)Trick customer into sending moneyCustomer-initiated, irreversible once sent
First-Party FraudCustomer disputes legitimate transactionHistory of disputes, pattern matching
Synthetic IdentityFraudster creates blended fake identityIdentity elements don't fully match
Payroll RedirectRedirect direct deposit to fraudster accountDirect deposit change + immediate withdrawal

ACH Fraud Prevention Checklist

ControlPurpose
Verify bank account ownershipConfirm account belongs to intended recipient
Implement dual approval for payout changesPrevent single-point-of-failure BEC attacks
Monitor for velocity anomaliesDetect unusual transaction patterns
Use positive pay / debit blocksAuthorize specific debits in advance
Validate payee before large transfersCall verified number, not email-provided number
Delay first payout to new accountsAllow time for fraudulent accounts to be identified

ACH Balance Validation

Before initiating an ACH debit, verify the account has sufficient funds to prevent R01 (Insufficient Funds) returns.

Balance Validation Methods

MethodCoverageTimingCost
Real-time balance check~85-90% of US accountsInstant$0.10-0.50/check
Plaid balanceGood for consumer accountsReal-timeVaries
MX balanceFinancial institutionsReal-timeVaries
Aggregator APIsMulti-sourceReal-timeVaries

When to Validate

ScenarioValidation Strategy
First debit from new accountAlways validate
Amount exceeds typical thresholdAlways validate
Previous R01 on this accountAlways validate
Recurring debit, established accountSample or skip
Low-value transactionsCost may not justify

Balance Check Caveats

CaveatWhy It Matters
Balance is a snapshotCan change between check and debit
Not all accounts coveredSome banks don't support real-time balance
False securityBalance check doesn't prevent R10 (unauthorized)
Privacy concernsSome customers uncomfortable sharing bank access

Best Practice

New customer + first ACH debit:
    1. Verify account ownership (micro-deposits or instant verification)
    2. Check real-time balance
    3. If balance >= amount + buffer, proceed
    4. If balance < amount, delay or request alternative payment

Buffer recommendation: Check for balance >= debit amount + 10-20% buffer. Accounts fluctuate; a $100 debit should require ~$110-120 balance to be safe.

Non-US Direct Debit Systems

ACH is a US system. Other countries have their own "pull" payment mechanisms for recurring payments.

SEPA Direct Debit (SDD): European Union

  • Covers Euro-denominated debits across 36 countries
  • Two schemes: Core (consumer) and B2B (business)
  • Key quirk: 8-week no-questions-asked refund right for Core SDD
  • Mandate-based (customer signs authorization)
  • Settlement typically D+1

UK Direct Debit

  • Dominant for subscriptions, utilities, and recurring payments
  • Protected by Direct Debit Guarantee (bank refunds customer, sorts out with merchant later)
  • Very high consumer trust
  • Mandate managed through Bacs system

BECS Direct Debit (Australia/New Zealand)

  • Similar model to ACH debits
  • Requires valid Direct Debit Request (DDR)
  • 7-day return window for most transactions

Why This Matters

If you're a global subscription business, you need different direct debit integrations for different regions. SEPA DD for EU, UK DD for Britain, ACH for US, BECS for ANZ. The concepts are similar (pull funds with mandate) but the rails, rules, and dispute windows differ.

Legacy Methods: Checks and Cash

Yes, these still exist. Understanding them provides useful context.

Cash

  • Zero chargebacks, zero processing fees
  • Instant "settlement" (you have the money)
  • But: theft risk, handling costs, armored car fees, employee shrinkage
  • Declining but still ~20% of in-person US transactions
  • Some businesses (cannabis, some service industries) are cash-heavy due to banking restrictions

Checks

  • Still significant in US B2B (legacy accounting systems, vendor preferences)
  • Risk: NSF (insufficient funds), check kiting, fraud
  • Often converted to ACH at point of deposit (Check 21, Remote Deposit Capture)
  • Settlement: 1-2 days for check clearing, but funds may be held longer
  • Declining rapidly but not dead

Why Mention These?

When evaluating payment method economics, cash and checks are the baseline. A 2.5% card fee sounds high until you factor in cash handling costs (1-2% for many retailers) or check fraud losses.

See Also