ACH SEC Codes: The Complete Guide to Standard Entry Class Codes
Standard Entry Class (SEC) codes define how an ACH transaction was authorized and how it should be processed. Every ACH debit and credit carries one. This reference covers all four primary SEC codes used in B2B and high-risk ACH processing — CCD, PPD, WEB, and TEL — with authorization requirements, return code exposure, and practical use cases for MCA and specialty verticals.
The three-letter code that governs how every ACH transaction is authorized
SEC codes are not optional or stylistic — using the wrong SEC code is a NACHA Operating Rules violation that can result in fines, return rate penalties, or account termination. For high-risk businesses where ACH processing privileges are already conditional, SEC code compliance is operationally critical.
NACHA recognizes over 20 SEC codes, but four codes account for the vast majority of business ACH transactions: CCD (business-to-business), PPD (consumer with written authorization), WEB (internet-initiated consumer debits), and TEL (phone-authorized consumer debits). GoACH supports all four natively, with built-in authorization management and return code monitoring for each.
Corporate Credit or Debit
B2B ACH transactions between business bank accounts. The standard SEC code for merchant cash advance daily debits.
Authorization Requirements
- Written or electronic authorization from the receiving business entity
- Authorization must identify the company name, amount, and effective date
- No specific format mandated — a signed MCA agreement or ACH debit authorization form qualifies
- Authorization must be retained for 2 years after the last transaction
Common Return Codes
- R01 — Insufficient Funds (most common for daily debits)
- R02 — Account Closed
- R03 — No Account / Unable to Locate Account
- R04 — Invalid Account Number
- R07 — Authorization Revoked (triggers unauthorized return tracking)
- R10 — Customer Advises Not Authorized (impacts unauthorized threshold)
Who uses CCD: Merchant cash advance funders use CCD for daily ACH debits against merchant business checking accounts — this is the primary SEC code in MCA operations. B2B vendors, payroll processors, and corporate treasury functions also use CCD for routine business-to-business transfers.
Return window: The RDFI has 2 banking days to return a CCD transaction for most return reason codes. For unauthorized returns (R07, R10), the return window extends to 60 calendar days from the settlement date.
High-risk context: CCD is generally lower-risk than consumer SEC codes because both parties are businesses, and business bank account holders have fewer unauthorized return protections than consumers. For MCA funders, this makes CCD the preferred SEC code — but high-volume daily debits still require careful return rate management. GoACH’s AI risk engine monitors CCD return patterns in real time, with particular attention to R01 clusters that signal merchant financial stress before they escalate into R02 or R03 closures.
GoACH and CCD: GoACH’s platform is purpose-built around CCD for MCA operations. Features include intelligent retry logic trained on CCD return code patterns, same-day settlement for daily debit portfolios, and portfolio-level return rate dashboards broken down by merchant, batch, and return code.
Prearranged Payment and Deposit
Consumer ACH transactions authorized via written agreement. The standard code for recurring consumer billing — credit repair, debt settlement, and subscription services.
Authorization Requirements
- Written authorization signed or similarly authenticated by the consumer
- Must include company name, consumer name, account number, routing number, and debit amount (or variable amount terms)
- For recurring debits, authorization must be provided in advance of the first transaction
- Authorization must be provided to the consumer and retained for 2 years after last transaction
- Consumer must be given notice before the amount or date changes
Common Return Codes
- R01 — Insufficient Funds
- R02 — Account Closed
- R05 — Unauthorized Debit to Consumer Account (counts toward 0.5% unauthorized threshold)
- R07 — Authorization Revoked by Consumer
- R10 — Customer Advises Not Authorized
- R29 — Corporate Customer Advises Not Authorized (rare but severe)
Who uses PPD: Credit repair companies collecting monthly service fees, debt settlement companies processing payment plan installments, insurance premium finance companies, and any business running recurring consumer billing with a signed authorization on file.
Return window: Standard returns: 2 banking days. Unauthorized returns (R05, R07, R10): 60 calendar days from settlement date for consumers. This extended unauthorized return window is a significant risk factor for high-volume consumer billing operations.
High-risk context: PPD carries more consumer protection than CCD because the RDFI has greater latitude to process unauthorized return claims. For credit repair and debt settlement companies — where customer disputes are structurally more common — maintaining clean PPD authorization records is critical. GoACH’s platform monitors R05, R07, and R10 returns separately to protect your 0.5% unauthorized return threshold.
PPD vs. WEB: If the consumer authorized the debit online (via a form, portal, or electronic signature), WEB is the correct code — not PPD. Using PPD for internet-initiated transactions is a NACHA compliance violation.
Internet-Initiated Debit Entry
Consumer debits authorized via the internet — online forms, portals, or electronic signatures. Carries the strictest account validation requirements of any consumer SEC code.
Authorization Requirements
- Consumer authorization must be obtained via the internet — a web form, online portal, or electronic agreement
- The originator must use a commercially reasonable fraudulent transaction detection system
- Account validation required: NACHA mandates account validation for WEB debits since March 2022
- The authorization must clearly state the debit terms and be retained
- Consumers must be able to revoke authorization online
Common Return Codes
- R01 — Insufficient Funds
- R02 — Account Closed
- R10 — Customer Advises Not Authorized (most common unauthorized return for WEB)
- R29 — Corporate Customer Advises Not Authorized
- R23 — Credit Entry Refused by Receiver (for WEB credits)
Who uses WEB: Any business that accepts ACH payment authorizations through a website, online application, or digital portal. Credit repair companies with online enrollment forms, debt settlement companies with digital client agreements, and SaaS platforms with online billing all use WEB for consumer ACH debits.
The 2022 account validation rule: Since March 19, 2022, NACHA requires all WEB debit originators to use a commercially reasonable method of account validation before the first debit. Acceptable methods include real-time account verification services (Plaid, Yodlee, Finicity), micro-deposit verification, or pre-note testing.
High-risk context: WEB is the highest-scrutiny consumer SEC code from a NACHA compliance perspective. The account validation requirement, combined with the 60-day unauthorized return window, makes WEB authorization management critical for credit repair and online-enrollment businesses. GoACH’s platform includes built-in WEB debit authorization workflows with account validation integration.
WEB vs. TEL: If the consumer authorized by phone rather than online, use TEL — not WEB. Misclassifying TEL-authorized transactions as WEB violates NACHA rules.
Telephone-Initiated Entry
Single-entry consumer debits authorized orally by telephone. Restricted to existing customer relationships or inbound calls. Requires a recorded authorization or written confirmation.
Authorization Requirements
- Authorization must be obtained orally via telephone from the consumer
- Originator must either record the oral authorization or provide written notice to the consumer before settlement
- TEL is limited to: (1) an existing customer relationship, OR (2) a consumer-initiated inbound call
- TEL cannot be used to initiate recurring debits — single entry only
- The recorded authorization or written notice must be retained for 2 years
Common Return Codes
- R01 — Insufficient Funds
- R02 — Account Closed
- R07 — Authorization Revoked by Consumer
- R10 — Customer Advises Not Authorized
- R15 — Beneficiary or Account Holder Deceased
Who uses TEL: Debt collection agencies collecting phone-authorized payments, insurance companies processing one-time premium payments by phone, and any business accepting single ACH payments via inbound customer calls.
Existing relationship restriction: TEL cannot be used for outbound calls to consumers with whom you have no prior relationship. Cold outbound calls requesting ACH authorization are not eligible for TEL — this is one of the most commonly misunderstood TEL restrictions.
Single-entry limitation: TEL is for one-time debits only. If the consumer authorizes recurring payments by phone, you must obtain a written or electronic authorization (PPD or WEB) for the recurring series.
High-risk context: For debt collection agencies, TEL is operationally common but compliance-intensive. GoACH recommends maintaining a systematic authorization archive for all TEL transactions given the 60-day unauthorized return window and R10 return risk inherent in collections contexts.
ACH SEC codes comparison table
Use this table to determine the correct SEC code for your transaction type and authorization method.
| SEC Code | Full Name | Account Type | Authorization Method | Recurring? | Account Validation | Primary Use Case |
|---|---|---|---|---|---|---|
| CCD | Corporate Credit or Debit | Business checking/savings | Written or electronic business authorization | Yes | Not required | MCA daily debits, B2B vendor payments, business payroll |
| PPD | Prearranged Payment & Deposit | Consumer checking/savings | Written/signed paper or electronic authorization | Yes | Not required | Credit repair monthly fees, debt settlement plans, consumer subscriptions |
| WEB | Internet-Initiated Debit | Consumer checking/savings | Online form, portal, or electronic agreement | Yes | Required (NACHA 2022 rule) | Online enrollment billing, e-commerce ACH, digital subscription services |
| TEL | Telephone-Initiated Entry | Consumer checking/savings | Oral authorization via inbound or existing-relationship phone call | No (single entry only) | Not required | Collections one-time payments, inbound phone payments, insurance premium by phone |
NACHA return rate thresholds
NACHA monitors three return rate levels across an originator’s ACH activity. Exceeding a level is not automatically a violation of the Operating Rules — it allows NACHA to open a preliminary inquiry into the originator’s origination practices.
| Threshold | Level | What it covers |
|---|---|---|
| Unauthorized return rate | 0.5% | Debits returned as unauthorized (R05, R07, R10, R29, R51) |
| Administrative return rate | 3.0% | R02, R03, and R04 — account number and data errors |
| Overall return rate | 15.0% | All returns combined, across every return reason code |
Additional SEC codes you may encounter
While CCD, PPD, WEB, and TEL cover most business ACH use cases, NACHA recognizes additional SEC codes for specialized transaction types. GoACH supports CCD, PPD, WEB, and TEL natively.
| SEC Code | Full Name | What it is |
|---|---|---|
| ACK | ACH Payment Acknowledgment | A zero-dollar acknowledgment entry an RDFI returns to confirm receipt of a CCD credit. |
| ARC | Accounts Receivable Entry | A one-time consumer debit that converts an eligible check received by mail or drop box into an ACH entry. |
| BOC | Back Office Conversion | A one-time consumer debit converting a check accepted in person (point of sale or manned bill-payment location), converted during back-office processing. |
| CIE | Customer Initiated Entry | A consumer-initiated ACH credit, typically a bill payment the consumer pushes through a bill-pay service. |
| CTX | Corporate Trade Exchange | A B2B entry carrying up to 9,999 addenda records of remittance or EDI data — used for corporate trade payments with detailed invoice information. |
| IAT | International ACH Transaction | An entry that is part of a payment involving a financial agency outside the U.S.; carries mandatory OFAC screening and additional addenda. |
| POP | Point of Purchase | A one-time consumer debit created from a check presented in person at the point of purchase and converted to ACH. |
| POS | Point of Sale | A debit at an electronic terminal to purchase goods or services, usually via an access or debit device. |
| RCK | Re-presented Check Entry | An ACH debit that re-presents a paper check previously returned for insufficient or uncollected funds (NSF). |
| TRC | Truncated Entry | An entry used within check-truncation programs, where the original paper check is retained and only the payment data is transmitted. |
If your transaction type doesn’t fit CCD, PPD, WEB, or TEL, contact GoACH’s team to determine the correct SEC code before originating — misclassification is a NACHA compliance violation regardless of intent.
ACH SEC code frequently asked questions
Need ACH processing with full SEC code support?
GoACH supports CCD, PPD, WEB, and TEL with built-in authorization management and real-time return rate monitoring for each code.
About This Guide
Last reviewed June 2026 by the GoACH Compliance Team.
This ACH SEC code reference is published by GoACH, a NACHA-compliant ACH payment processor operated by Unity FI Solutions LLC, headquartered in Charlotte, NC. GoACH specializes in high-risk ACH processing for merchant cash advance, credit repair, debt settlement, and collections — industries where correct SEC code usage and return rate management are operationally critical.
Related resources: ACH Return Codes reference · High-Risk ACH Processing · ACH Payment Processor · MCA Daily Debit Processing · High-Risk ACH FAQ