What Is ACH Debit? Definition, Authorization, and Returns (2026)

An ACH debit is a payment in which the receiver pulls funds from the sender's bank account through the ACH Network under prior authorization. It runs on the same NACHA-governed batched rail as ACH credit, but the control point is flipped: the receiver initiates the transaction with the sender's permission rather than the sender pushing the payment.

The mechanics matter more than they sound. ACH debit looks simple on paper, but the authorization model differs by SEC code, the return window for unauthorized debits runs 60 days for consumer cases, and NACHA-enforced return-rate caps can pull an originator off the network if they get blown through. For AP teams running B2B billing on ACH debit, or for finance teams handling vendor-initiated pulls coming the other way, the operating rules are the difference between a clean program and a compliance problem.

AP managers, treasurers, and SaaS billing operators need a working reference for what ACH debit actually is, when it's the right rail, what authorization the network requires, how returns and disputes work, and how to keep return rates under NACHA thresholds. The parent ACH payment overview ties both directions of the ACH rail into the broader category if the foundational distinction is the place to start.

Key Takeaways

• ACH debit is a pull, not a push. The receiver initiates the payment with the sender's prior authorization. That control point flip drives every other rule in the program: SEC code selection, return rights, dispute windows, and operating risk.

• Authorization is SEC-code specific. CCD applies to B2B (corporate-to-corporate) under a business agreement. PPD applies to consumer with written authorization. WEB carries an account-validation rule in effect since March 2022. Picking the wrong code creates compliance risk.

• The 60-day return window matters most for consumer pulls. Unauthorized-return codes (R05, R10, R11) carry 60 days. B2B CCD entries have a tighter window (typically two business days), which is why B2B is where ACH debit gets used most.

• Return-rate thresholds are enforced. NACHA caps unauthorized returns at 0.5% and overall returns at 15%. Cross either threshold and you get monitored or pulled. The 2026 Risk Management amendments add fraud monitoring and a new Company Entry Description requirement effective March 20, 2026.

• 79% of organizations were victims of attempted or actual payments fraud in 2024 per AFP's 2025 Payments Fraud and Control Survey. ACH debit blocks, validated vendor banking data, and dual-control for new payees are the basic controls.

What is ACH debit, and how does it work?

ACH debit is a payment where the receiver pulls funds from the sender's bank account through the ACH Network, governed by NACHA's operating rules. The receiver's bank (the ODFI in NACHA terms) submits a debit entry in a batch file, the ACH operator routes it to the sender's bank (the RDFI), and the funds settle one to two business days later (or same day under Same Day ACH if the cutoff is met). The sender authorizes the pull in advance, with the authorization format and timing varying by SEC code.

The scale of the rail is real. According to NACHA's 2026 Annual ACH Statistics, the ACH Network processed 35.2 billion payments worth $93 trillion in 2025, including 8.1 billion B2B payments — up 9.9% from 2024. ACH debit is a meaningful slice of that volume, particularly in recurring B2B billing, utility-style pulls, and SaaS subscription billing.

How is ACH debit different from ACH credit?

The control point is the entire distinction. ACH credit is sender-initiated, where you push a payment from your account to the receiver. ACH debit is receiver-initiated, where the receiver pulls from your account under prior authorization. Same network, same files, same settlement windows, with different control, different authorization paperwork, and different return rules. The dedicated ACH payment overview covers the broader cash-flow framing once the two directions are clear.

How is ACH debit different from a debit card payment?

They are different rails entirely, despite both being called "debit." A debit card payment runs on the card networks (Visa, Mastercard) in real time at the point of sale, with chargeback rights under the card-network rules. ACH debit runs on the ACH Network in batches with settlement one to two business days later (or same day under Same Day ACH), with returns governed by NACHA. The card rail charges interchange to the merchant; the ACH rail does not. When AI Overviews or quick definitions conflate the two, that's the misread to correct.

What authorization do you need for an ACH debit?

The authorization model varies by SEC (Standard Entry Class) code, and picking the right code is where most programs trip. The four codes that cover the bulk of B2B and consumer cases are CCD, PPD, WEB, and TEL. Each has its own authorization format and timing requirements.

When is CCD the right code, and when is WEB or PPD?

CCD is for corporate-to-corporate debits where the authorization sits in a business agreement between the two companies. That's the simplest authorization model: a signed contract, master services agreement, or purchase agreement that includes ACH debit authorization is enough. CCD is the default for vendor-initiated pulls in B2B contexts and for treasury concentration sweeps between accounts under common ownership.

PPD is for consumer debits with written authorization, typically used for recurring consumer billing (utilities, gym memberships, insurance premiums). The authorization has to be in writing, signed by the consumer, and on file with the originator. WEB is for internet-initiated consumer debits where the authorization happens through a web form. TEL is for phone-authorized consumer debits, with specific call-recording and disclosure requirements.

What does the WEB account-validation rule require?

The WEB-debit account validation rule, in effect since March 19, 2022, requires originators to validate the receiver's account before the first WEB-coded debit. Validation can happen through micro-deposits, an instant account verification service (Plaid, MX, and similar), or another commercially reasonable method that confirms the account is open and authorized. The rule exists because WEB authorizations are inherently weaker than written PPD authorizations, and the network needed a counterweight to keep return rates manageable on internet-initiated consumer debits.

For SaaS billing operators, this is the rule that surprises teams the most. If your subscription signup flow doesn't include account validation before the first debit, you're out of compliance with NACHA rules on every WEB transaction. The fix is integrating a validation step into onboarding before the first pull goes out.

What changes under NACHA's 2026 risk management amendments?

NACHA's 2025 Operating Rules updates included Risk Management amendments effective March 20, 2026. The two changes that matter most for ACH debit originators are a new fraud-monitoring requirement and a Company Entry Description requirement that adds structured detail to the debit so the receiver's bank can flag suspicious patterns. Originators need to update their submission processes and their fraud-monitoring procedures before the effective date. The point of the amendments is to give the receiving side better signal on legitimate versus suspicious activity, which over time pushes unauthorized-return rates down.

How do returns, reversals, and disputes work on ACH debit?

Returns are where ACH debit programs win or lose money. Every debit that comes back is operational work (notification, dispute handling, possible retry, possible chargeback to your customer), and the return-rate metrics roll up to NACHA enforcement thresholds. The R-codes that matter most for an AP team running ACH debit are the insufficient-funds returns (R01, R09), the unauthorized returns (R05, R10, R11), and the administrative returns (R02 closed account, R03 no account, R04 invalid account number).

A small reference of the high-traffic codes is useful here.

Source: NACHA ACH Operating Rules.

Protect cash flow with modern AP

Modernize AP to cut costs, speed approvals, and mitigate payment risk — gaining the real-time visibility to protect cash flow and scale with confidence.

Download the whitepaper

What is the 60-day consumer-unauthorized return window?

For consumer accounts (PPD and WEB primarily), the receiving bank's customer can return a debit as unauthorized within 60 days of the settlement date using return codes R05, R10, or R11. The originating bank is required to honor the return, and the funds come back out of the originator's account. That window exists because consumer authorization is harder to verify than corporate authorization, and Regulation E layers federal consumer protection on top of NACHA's network rules. Each carries its own 60-day window, and the practical effect is that any pull against an account that could be classified as consumer carries the longer dispute window.

For B2B CCD entries, the unauthorized-return window is much tighter (typically two business days), which is why B2B is the cleaner side of ACH debit operationally.

When can you retry a returned ACH debit?

NACHA's retry rule for R01 and R09 returns is up to two retries within 180 days of the original settlement date, with the description field set to "RETRY PYMT" so the receiving bank can identify it as a retry. You cannot retry indefinitely, and you cannot retry returns that came back for non-funds reasons (R02 closed account, R03 no account, R05 unauthorized). For the unauthorized cases, the return is the end of the line for that transaction; the underlying authorization needs to be resolved with the customer before any further pulls.

What return-rate thresholds does NACHA enforce?

NACHA's risk-management thresholds set a 0.5% cap on unauthorized returns (R05, R10, R11 combined as a percentage of total entries) and a 15% cap on overall returns. Cross 0.5% on unauthorized and you trigger enforcement: NACHA can require remediation plans, audits, or in extreme cases removal from the network. Cross 15% overall and you trigger monitoring. The thresholds aren't arbitrary; they reflect what a well-run debit program actually achieves at scale. A consumer subscription program crossing 0.5% on R10 is usually a signal that authorizations are weak, the signup flow isn't enforcing account validation, or the customer base is being recruited in ways that produce high dispute rates.

The practical implication for AP teams running ACH debit on the AR side: monitor the return rate weekly, segment by SEC code, and treat any drift above 0.3% on unauthorized as an early warning before you hit the 0.5% wall.

When should your business use ACH debit instead of ACH credit, wire, or card?

ACH debit fits when you need predictable, scheduled pulls from accounts where you have a prior authorization in place and the counterparty wants you to handle the timing. It doesn't fit when you need one-off variable-amount payments where the sender wants to keep control of the timing (use ACH credit), high-value time-sensitive payments where finality matters (use wire), or consumer-facing transactions where the counterparty expects card-grade dispute rights (use card).

Here's how the rail comparison shakes out for an AP team trying to decide.

Source: NACHA operating rules and AFP cost benchmarking research.

What's the cost difference between ACH debit, ACH credit, wire, and card?

ACH debit and ACH credit carry the same per-transaction economics, since they both run on the same rail. Both are well below wire on cost per transaction, and well below the fully-loaded cost of a check at mid-market scale. Wire is the most expensive per-transaction option, which is why it's reserved for high-value time-sensitive payments. Card flips the model: instead of paying a fee, you earn rebate (typically 75 to 175 basis points on commercial card programs, paid by interchange on the supplier's side). The wire transfer fees guide breaks down the actual wire cost structure if the wire-versus-ACH math matters for your spend mix.

Which rail fits recurring B2B billing?

ACH debit on a CCD code is usually the right answer for predictable recurring B2B billing where the AR side knows when to pull and the AP side has authorized the pull in a master agreement. Same-day ACH is an option when you need a faster settlement window without paying wire fees. For B2B billing with variable amounts (utility-style usage billing, metered services), ACH debit handles it cleanly as long as the authorization covers variable amounts. The supplier-payment workflow guide covers how the supplier side of the workflow gets built out for B2B teams running multiple rails.

What are the fraud and compliance risks specific to ACH debit?

ACH-debit fraud is real and growing. According to AFP's 2025 Payments Fraud and Control Survey, 79% of organizations were victims of attempted or actual payments fraud in 2024. Check fraud was the most-targeted method, with 63% of organizations affected. For an AP team running ACH-debit operations, the specific exposures are unauthorized debits against your account (the soft side, where someone gets your routing and account numbers and tries a pull), and on the AR side, takeover of a customer account that triggers the 60-day consumer-unauthorized return cycle.

The controls for an AP team are mostly mechanical. Your bank can put an ACH debit block on the account (no debits allowed) or an ACH debit filter (debits only allowed from a whitelist of originator IDs with dollar caps). NACHA supports both. Positive pay is a check control but the same conceptual idea applies to ACH: you tell the bank what to expect, the bank verifies, anomalies get flagged for review. Dual-control authorization for any new ACH-debit relationship is the operational standard. For the AR side, validated account data, retained authorization records per NACHA's retention rules, and consistent monitoring of return-rate trends are the basics. The ACH credit fraud prevention guide covers BEC-related controls that apply to the credit side; the underlying principles transfer to debit operations.

What is an ACH debit block, and how do you use it?

An ACH debit block is a bank-side control that prevents any ACH debit from posting to the account. A filter is the softer version: a whitelist of approved originator IDs with optional dollar caps per originator. AP teams put blocks on accounts that should never see ACH debits (lockbox concentration accounts, payroll accounts, capital accounts). Filters go on operating accounts that need to allow specific authorized pulls (utility billing, recurring vendor pulls under master agreements) while blocking everything else. Both controls live at your bank, and setting them up is a treasury request, not a technology project. The how-to-defend-from-payment-fraud guide covers the broader set of payments fraud controls that complement ACH blocks.

How do you keep your unauthorized-return rate under NACHA's 0.5% cap?

Strong authorizations are the first line. Written authorizations for PPD, validated accounts and clear disclosure for WEB, signed agreements for CCD. Onboarding flow matters: if your signup process makes it easy to authorize debits without making it clear what's being authorized, you'll see R10 returns climb. Monitor the return rate weekly, segment by SEC code, and triage anything above 0.3% on unauthorized before it hits the 0.5% threshold. When you do hit returns, treat them as signal: an R10 spike from a specific cohort usually means the authorization weakened or the customer base shifted in a way the underwriting didn't catch.

How Corpay supports ACH debit in your AP and payments workflow

For AP teams that need to run ACH debit on the AR side (pulling from customers under authorization) or accept ACH debit pulls from vendors on the AP side (supplier-initiated payments under master agreements), Corpay's AP automation product handles the SEC-code selection, authorization records, return handling, and reconciliation back to the GL. The platform integrates with 180+ ERP and accounting systems, so the upstream invoice and the downstream payment data round-trip cleanly without manual reconciliation.

The piece platform-only competitors leave on the table is the managed-service layer. Authorization setup, return handling, and reconciliation are operational work, and an AP team without dedicated capacity to do that work will fall behind on return-rate monitoring and authorization compliance. We bring that capacity. The same goes for the broader payments-orchestration question on the AR side, where the payments automation product handles ACH debit alongside ACH credit, virtual card, wire, and cross-border on one platform. None of our peers in this category claim that managed-service capability across the AI-search comparisons we see prospects running, which is telling.

Frequently Asked Questions

What is ACH debit, in plain terms?

ACH debit is a payment where the receiver pulls funds from the sender's bank account through the ACH Network under prior authorization. It runs on the same batched bank-to-bank network as ACH credit, but the receiver initiates the transaction rather than the sender. Settlement is one to two business days standard, or same day with Same Day ACH and the right cutoff.

What's the difference between ACH debit and ACH credit?

The control point. ACH credit is sender-initiated, where you push a payment from your account to the receiver. ACH debit is receiver-initiated, where the receiver pulls funds from your account under prior authorization. Same network, same settlement windows, different authorization paperwork and different return rules.

What's the difference between ACH debit and a debit card?

They are different rails entirely. A debit card payment runs on the card networks in real time at the point of sale, with chargeback rights under card-network rules. ACH debit runs on the ACH Network in batches with NACHA-governed returns. Despite both being called "debit," they share almost nothing operationally.

How long does an ACH debit take to clear?

Standard ACH debit settles one to two business days after submission. Same Day ACH settles within hours if the originator meets the NACHA cutoff (typically 11:45 a.m. and 4:45 p.m. ET for the main same-day windows). Return notifications can come back days after the original settlement, particularly for unauthorized returns under the 60-day window.

Can an ACH debit be reversed?

It depends on the SEC code and the reason. Consumer debits (PPD, WEB) can come back as unauthorized within 60 days of settlement under return codes R05, R10, or R11. B2B CCD debits have a much tighter window (typically two business days for unauthorized returns). Insufficient-funds returns (R01, R09) can be retried up to twice within 180 days with "RETRY PYMT" in the description field.

What does "ACH debit" on my bank statement mean?

It means a payment was pulled from your account through the ACH Network rather than pushed in. The originator's name and a description usually appear next to the entry. For business owners reviewing statements, an unexpected ACH debit is often the trigger for setting up ACH debit filters at the bank to whitelist only approved originators.

Is ACH debit safe for businesses?

It can be, with the right controls. ACH debit blocks and filters at your bank, validated authorization records, dual-control approval for new debit relationships, and weekly return-rate monitoring are the basics. The 79% organizational fraud rate from AFP's 2025 survey is the headline reminder that the controls have to actually run, not just exist on paper.

How do you stop an unauthorized ACH debit?

Contact your bank immediately and dispute the transaction as unauthorized using the appropriate return code (R10 for consumer, R05 for corporate). Within the 60-day consumer window, the bank is required to honor the return. For B2B CCD entries, the window is tighter and the dispute resolution typically runs through the master agreement between the two companies.

What is an ACH debit block?

A bank-side control that prevents any ACH debit from posting to the account. The softer version is an ACH debit filter, which whitelists specific originator IDs with optional dollar caps. AP teams put blocks on accounts that should never see debits (lockbox, payroll, capital) and filters on operating accounts that need to allow specific authorized pulls.

David Luther

Product Marketing Program Manager

David Luther, MBA is a product marketing program manager with years of experience in commercial banking, finance, and technology sectors, with research and writing appearing in financial publications.

Payments Automation

AP Automation