WEB ACH Debit Authorization Requirements (2026): What Counts as Consent and How to Defend Unauthorized Returns

Written by Tyler DurbinJune 24, 2026
Merchant Alternatives is reader-supported. When you make purchases through links on our site, we may earn a commission. This is always at no additional cost to you and helps us continue to provide accurate, transparent and up-to-date information on the things that matter most to your business, for free.

If you take ACH payments online, especially via bank account debits for subscriptions, invoice pay links, or one-time checkout, your biggest hidden risk is not fees. It is authorization. When a customer later claims they did not authorize a debit, the return can come back as an unauthorized code and you can lose the funds long after you thought the payment cleared.

This guide explains what the ACH Network expects for WEB debits (internet or mobile initiated ACH debits), what information must be included in a compliant authorization, what to store as proof, and how to lower your rate of unauthorized returns like R05, R07, R10, and R11 without adding too much friction.

What is a WEB debit authorization, in plain English?

A WEB debit authorization is the customer's agreement that you can pull money from their bank account using ACH, and that agreement was obtained online or through a wireless network.

For merchants, the practical meaning is simple: if you cannot show a clear agreement to the amount and timing, plus evidence tying that agreement to the customer, you are exposed when the customer disputes the debit with their bank.

Key idea: data access is not payment authorization

If you use open banking or account linking to obtain routing and account numbers, that consent to share data is not the same thing as consent to debit the account. Your checkout still needs a separate and clear payment authorization.

What makes a WEB authorization "valid" under Nacha?

A valid authorization is one that is clear, readily understandable, and "signed or similarly authenticated" by the consumer. In practice, that means the customer must take an affirmative action online that shows assent, and you must be able to reproduce a record of what they agreed to.

Nacha has also emphasized that a debit authorization to a consumer account needs specific core information elements so the originator can create a compliant authorization and later prove it.

What information should your WEB authorization include?

At minimum, your WEB authorization should include these elements, presented in a way that is obvious to a normal buyer:

  • Express authorization language (example: "I authorize Company A to debit my bank account")
  • Amount of the transaction (exact amount, a range, or a formula tied to usage)
  • Date and or frequency of the transaction(s)
  • The consumer's account number
  • The consumer's bank routing number
  • Revocation language for recurring or future dated debits

You should also include operational details that reduce disputes and reduce bank confusion, even if they are not strictly required in every situation:

  • Your business legal name and any DBA that appears in the customer's bank statement
  • How the debit will show up in the bank descriptor (as close as you can get)
  • A support email and phone number
  • Refund and cancellation policy with a direct link

How should the customer "sign" a WEB authorization?

The short answer is: the customer must be "similarly authenticated," meaning the authorization is in writing but completed electronically and tied to an authenticated session or identity check.

Common patterns that work well in practice include:

  • Logged-in customer account plus a checkbox that is unchecked by default
  • Click-through assent with a button label that indicates agreement (not just "Continue")
  • One-time passcode (OTP) verification to the email or phone tied to the user
  • A shared secret or password prompt immediately before the final submit

Avoid weak patterns like burying the authorization inside a generic terms-of-service link with no explicit assent to ACH debits.

What proof should you store to defend an unauthorized ACH return?

Store enough detail to recreate three things: (1) the words the customer saw, (2) the action they took to agree, and (3) why you believe it was that customer.

Nacha's industry practices guide for WEB proof of authorization describes a mix of records that can help show an authorization took place, including screenshots of the authorization language plus audit logs like date and time, IP address, and the authentication steps used to link the authorization to the consumer.

A practical proof-of-authorization checklist

Store these items for every WEB debit relationship, organized by customer and by mandate version:

  1. The authorization text version
  2. A rendered copy of the authorization language as shown at checkout
  3. The URL or app screen identifier
  4. Timestamp in UTC
  5. The customer identity trail
  6. Customer account ID
  7. Name and email used at checkout
  8. Phone number if collected
  9. Shipping address or billing address if relevant
  10. The consent event
  11. The checkbox state and label
  12. The click event and session ID
  13. Device fingerprint or user agent
  14. IP address and geolocation at a coarse level
  15. The bank details captured
  16. Routing number
  17. Account number token or last 4 (do not store raw account numbers unless your controls justify it)
  18. Whether the account was verified
  19. The commerce record
  20. Invoice ID, order ID, or subscription ID
  21. Product or service description
  22. Price, tax, shipping, and total
  23. Refund and cancellation terms shown at purchase

If you work with higher risk products, consider storing an additional customer intent artifact such as a confirmation email that repeats the amount and timing.

What return codes count as "unauthorized" for WEB debits?

Nacha's calculation guidance lists unauthorized return reason codes as including R05, R07, R10, R11, R29, and R51. These codes matter because they can trigger fees, monitoring, and in severe cases loss of ACH origination privileges.

For WEB consumer debits, the most relevant are:

  • R10: Customer advises not authorized
  • R07: Authorization revoked by customer
  • R05: Unauthorized debit to consumer account (often when a corporate SEC code was used incorrectly)
  • R11: Customer advises entry not in accordance with the terms of the authorization

How long after settlement can a customer dispute a WEB debit?

For ACH returns, consumer debits can have an extended return window for unauthorized claims. Practically, you should assume a customer dispute can come back weeks later, not just in the first couple of days.

Separately, under Regulation E, a consumer must report an unauthorized electronic fund transfer that appears on a periodic statement within 60 days of the financial institution's transmittal of the statement to avoid liability for subsequent transfers.

What does Nacha require for fraud detection on WEB debits?

Nacha's Account Validation Rule makes it explicit that account validation is part of a commercially reasonable fraudulent transaction detection system. For the first use of an account number (or when the account number changes), you must validate the account using a commercially reasonable method.

Nacha describes common validation options like prenotes, micro-transaction verification, or commercially available validation services.

What account validation does and does not do

Account validation helps confirm the routing number and account number belong to a real account and can receive debits. It does not prove the person paying is the rightful accountholder. That is why identity checks and proof-of-authorization logging still matter.

How do you reduce unauthorized returns without hurting conversion?

Start with controls that reduce confusion, because confusion turns into disputes. Then add checks that reduce true fraud.

Here is a merchant-friendly stack that usually performs well:

  1. Make the authorization obvious
  2. Put the authorization language directly above the pay button
  3. Use a checkbox and do not pre-check it
  4. Repeat the amount and whether it is recurring
  5. Confirm identity lightly
  6. OTP to email or SMS for higher risk orders
  7. Step-up authentication when signals look risky (new device, high amount, mismatch)
  8. Validate the account on first use
  9. Use micro-deposits or a validation service when you cannot rely on instant verification
  10. Tighten your descriptor and support
  11. Make sure your ACH descriptor is recognizable
  12. Put support contact details in confirmation emails
  13. Handle revocation and cancellations fast
  14. Provide a self-serve cancel path
  15. Stop future debits immediately when a customer revokes

A simple risk-based decision table

Scenario Recommended friction Why
Low dollar, logged-in returning customer Checkbox plus full logging Low fraud risk, focus on clarity
High dollar first purchase OTP plus account validation plus manual review on mismatch Reduces account takeover and bad bank data
Subscription with free trial Stronger disclosure plus reminder before first paid debit Trials cause disputes
Marketplace or complex balance adjustments Explicit consent plus post-transaction notice Complex flows get challenged more

What should you do when you get an R10 or R07 return?

Treat it as a risk signal, not just a failed payment.

Operationally:

  1. Stop re-debiting automatically
  2. Pull your proof-of-authorization package
  3. Contact the customer and offer a clean resolution path
  4. If the customer insists it was unauthorized, do not argue. Move to a new payment method and improve your flow
  5. Review your return rate and your onboarding funnel

When can your bank or processor request proof of authorization?

When return rates rise, when an RDFI challenges a debit, or when an ODFI is doing risk management on its originators, you may be asked to produce evidence.

Nacha's WEB proof of authorization guidance notes that originators must retain the original or a copy of each written authorization, or a readily and accurately reproducible record evidencing another form of authorization, for two years from termination or revocation of the authorization, and be able to provide those records to the ODFI upon request.

FAQ

Does a checkbox count as a signed authorization for WEB debits?

It can, as long as the authorization is presented in a readable form, the customer takes an affirmative action to agree, and you store a record that links that assent to the consumer and the session.

Do I need to give the customer a copy of the authorization?

Yes. Nacha has stated that an originator must provide a copy of the authorization to the consumer for their records and be able to provide proof of authorization to the ODFI upon request.

What is the Nacha WEB account validation rule?

It requires originators of consumer WEB debits to validate the account on first use of an account number, or when the account number changes, using a commercially reasonable method.

What return codes count as unauthorized for Nacha monitoring?

Nacha's calculation guidance lists unauthorized return reason codes as including R05, R07, R10, R11, R29, and R51.

How long should I store proof of authorization?

Nacha's WEB proof of authorization guidance notes that originators must retain authorization records for two years from termination or revocation.

Next steps: get an ACH-friendly merchant account

You can apply for a merchant account through Easy Pay Direct or another processor that fits your model. Other options worth a look:

  • /go/easy-pay-direct
  • /go/payarc
  • /go/host-merchant-services

Sources:
- Nacha: https://www.nacha.org/rules/supplementing-fraud-detection-standards-web-debits
- Nacha: https://www.nacha.org/news/importance-compliant-ach-authorizations
- Nacha PDF: https://www.nacha.org/system/files/2022-11/WEB_Proof_of_Authorization_Industry_Practices.pdf
- CFPB Regulation E: https://www.consumerfinance.gov/rules-policy/regulations/1005/6
- CFPB Regulation E: https://www.consumerfinance.gov/rules-policy/regulations/1005/11
- Nacha PDF: https://www.nacha.org/system/files/2024-01/Calculate_Unauthorized_Return_Rate.pdf

Written by 

Tyler Durbin