Skip to Content

Online Banking

the right bank TM

ACH Originator Education

Inside Origination Newsletter

Stay up-to-date with Inside Origination, published twice a year by EPCOR (Electronic Payments Core of Knowledge). This newsletter contains valuable information specific to ACH Originators as well as all business customers. If you are looking for an easy method to stay informed of payments changes, this is it! Click the Download button below to read the most recent edition of Inside Origination. To register for your own subscription to this newsletter and other communications by EPCOR, visit epcor.org.
View Newsletter    

ACH Return Rate Rule

Effective 10/3/16:

Unauthorized Entry Fee is $4.50 and the threshold is .05%

  • Fees may be passed on to the originator
  • R05 - Unauthorized Debit to Consumer Account Using SEC Code
  • R07 - Authorization Revoked by Customer
  • R10 - Customer Advises Unauthorized, Improper, Ineligible, or part of an Incomplete Transaction
  • R29 - Corporate Customer Advises Not Authorized
  • R51 - Item Related to RCK Entry is ineligible or RCK Entry is improper
Effective 9/18/15:

Administrative Return Rate Level for debit entries is 3%

  • R02 - Account Closed
  • R03 - No Account/Unable to Locate Account
  • R04 - Invalid Account Number Structure
Overall Return Rate Level for debit entries is 15%
  • Returns for ANY reason (includes NSF, stop payments, etc.)
  • Exclude RCK entries (represented check entires)

ACH Security Framework Rule

This rule establishes the minimum data obligations for ACH Originators to maintain for protecting ACH data. The key elements of this rule are: 1) Protect Sensitive Data & Access Controls; 2) Verification of Third-Party Senders and Originators; 3) Self-Assessment. Requirements of this rule:

  • Non-consumer Originators, Participating Depository Financial Institutions (DFI),  and Third-Party Service Providers/Senders must establish, implement, and update (as appropriate) data security policies, procedures, and systems with respect to the initiation, processing, and storage of Entries and resulting Protected Information
  • Originating Depository Financial Institutions (ODFI) must utilize a commercially reasonable method to verify the identity of an Originator or Third-Party Sender when entering into an Origination Agreement
  • Self-Assessment does not directly apply to ACH Originators who are bound through ACH Agreements. Participating DFIs and Third-Party Service Providers/Senders must verify through a self-assessment and audit that it has established, implemented, and updated the data security policies, procedures, and systems as required. 

Learn About Data Security

Compliance to the new ACH Security Framework Rule can be daunting...but it doesn't have to be! The Better Business Bureau (bbb.org) offers training specifically for small businesses on how to simplify the requirements of ACH data security. Visit bbb.org/council/data-security-made-simpler to get started!

You'll learn how to:

  • Properly handle & dispose of sensitive data securely
  • Become PCI Compliant
  • Respond when customer data is stolen
  • Respond when a third party requests customer information
  • and more!