ACH SEC Codes: Complete Guide to Standard Entry Class Codes | GoACH

ACH Reference Guide

ACH SEC Codes: The Complete Guide to Standard Entry Class Codes

Standard Entry Class (SEC) codes define how an ACH transaction was authorized and how it should be processed. Every ACH debit and credit carries one. This reference covers all four primary SEC codes used in B2B and high-risk ACH processing — CCD, PPD, WEB, and TEL — with authorization requirements, return code exposure, and practical use cases for MCA and specialty verticals.

Start processing ACH →

What Is a SEC Code?

The three-letter code that governs how every ACH transaction is authorized

A Standard Entry Class (SEC) code is a three-character code assigned by NACHA that identifies the authorization method and transaction type for an ACH entry. SEC codes appear in the batch header of every ACH file and tell the Receiving Depository Financial Institution (RDFI) how the transaction was authorized, what the appropriate return window is, and which NACHA Operating Rules apply to disputes and returns.

SEC codes are not optional or stylistic — using the wrong SEC code is a NACHA Operating Rules violation that can result in fines, return rate penalties, or account termination. For high-risk businesses where ACH processing privileges are already conditional, SEC code compliance is operationally critical.

NACHA recognizes over 20 SEC codes, but four codes account for the vast majority of business ACH transactions: CCD (business-to-business), PPD (consumer with written authorization), WEB (internet-initiated consumer debits), and TEL (phone-authorized consumer debits). GoACH supports all four natively, with built-in authorization management and return code monitoring for each.

Quick answer — which SEC code should I use? Use CCD for business bank accounts (MCA daily debits, B2B vendor payments). Use PPD for consumers who signed a paper or offline authorization. Use WEB for consumers who authorized online through a form or portal. Use TEL for one-time consumer debits authorized by phone on an inbound or existing-relationship call.
SEC Code
CCD

Corporate Credit or Debit

B2B ACH transactions between business bank accounts. The standard SEC code for merchant cash advance daily debits.

Authorization Requirements

  • Written or electronic authorization from the receiving business entity
  • Authorization must identify the company name, amount, and effective date
  • No specific format mandated — a signed MCA agreement or ACH debit authorization form qualifies
  • Authorization must be retained for 2 years after the last transaction

Common Return Codes

  • R01 — Insufficient Funds (most common for daily debits)
  • R02 — Account Closed
  • R03 — No Account / Unable to Locate Account
  • R04 — Invalid Account Number
  • R07 — Authorization Revoked (triggers unauthorized return tracking)
  • R10 — Customer Advises Not Authorized (impacts unauthorized threshold)

Who uses CCD: Merchant cash advance funders use CCD for daily ACH debits against merchant business checking accounts — this is the primary SEC code in MCA operations. B2B vendors, payroll processors, and corporate treasury functions also use CCD for routine business-to-business transfers.

Return window: The RDFI has 2 banking days to return a CCD transaction for most return reason codes. For unauthorized returns (R07, R10), the return window extends to 60 calendar days from the settlement date.

High-risk context: CCD is generally lower-risk than consumer SEC codes because both parties are businesses, and business bank account holders have fewer unauthorized return protections than consumers. For MCA funders, this makes CCD the preferred SEC code — but high-volume daily debits still require careful return rate management. GoACH’s AI risk engine monitors CCD return patterns in real time, with particular attention to R01 clusters that signal merchant financial stress before they escalate into R02 or R03 closures.

GoACH and CCD: GoACH’s platform is purpose-built around CCD for MCA operations. Features include intelligent retry logic trained on CCD return code patterns, same-day settlement for daily debit portfolios, and portfolio-level return rate dashboards broken down by merchant, batch, and return code.

SEC Code
PPD

Prearranged Payment and Deposit

Consumer ACH transactions authorized via written agreement. The standard code for recurring consumer billing — credit repair, debt settlement, and subscription services.

Authorization Requirements

  • Written authorization signed or similarly authenticated by the consumer
  • Must include company name, consumer name, account number, routing number, and debit amount (or variable amount terms)
  • For recurring debits, authorization must be provided in advance of the first transaction
  • Authorization must be provided to the consumer and retained for 2 years after last transaction
  • Consumer must be given notice before the amount or date changes

Common Return Codes

  • R01 — Insufficient Funds
  • R02 — Account Closed
  • R05 — Unauthorized Debit to Consumer Account (counts toward 0.5% unauthorized threshold)
  • R07 — Authorization Revoked by Consumer
  • R10 — Customer Advises Not Authorized
  • R29 — Corporate Customer Advises Not Authorized (rare but severe)

Who uses PPD: Credit repair companies collecting monthly service fees, debt settlement companies processing payment plan installments, insurance premium finance companies, and any business running recurring consumer billing with a signed authorization on file.

Return window: Standard returns: 2 banking days. Unauthorized returns (R05, R07, R10): 60 calendar days from settlement date for consumers. This extended unauthorized return window is a significant risk factor for high-volume consumer billing operations.

High-risk context: PPD carries more consumer protection than CCD because the RDFI has greater latitude to process unauthorized return claims. For credit repair and debt settlement companies — where customer disputes are structurally more common — maintaining clean PPD authorization records is critical. GoACH’s platform monitors R05, R07, and R10 returns separately to protect your 0.5% unauthorized return threshold.

PPD vs. WEB: If the consumer authorized the debit online (via a form, portal, or electronic signature), WEB is the correct code — not PPD. Using PPD for internet-initiated transactions is a NACHA compliance violation.

SEC Code
WEB

Internet-Initiated Debit Entry

Consumer debits authorized via the internet — online forms, portals, or electronic signatures. Carries the strictest account validation requirements of any consumer SEC code.

Authorization Requirements

  • Consumer authorization must be obtained via the internet — a web form, online portal, or electronic agreement
  • The originator must use a commercially reasonable fraudulent transaction detection system
  • Account validation required: NACHA mandates account validation for WEB debits since March 2022
  • The authorization must clearly state the debit terms and be retained
  • Consumers must be able to revoke authorization online

Common Return Codes

  • R01 — Insufficient Funds
  • R02 — Account Closed
  • R10 — Customer Advises Not Authorized (most common unauthorized return for WEB)
  • R29 — Corporate Customer Advises Not Authorized
  • R23 — Credit Entry Refused by Receiver (for WEB credits)

Who uses WEB: Any business that accepts ACH payment authorizations through a website, online application, or digital portal. Credit repair companies with online enrollment forms, debt settlement companies with digital client agreements, and SaaS platforms with online billing all use WEB for consumer ACH debits.

The 2022 account validation rule: Since March 19, 2022, NACHA requires all WEB debit originators to use a commercially reasonable method of account validation before the first debit. Acceptable methods include real-time account verification services (Plaid, Yodlee, Finicity), micro-deposit verification, or pre-note testing.

High-risk context: WEB is the highest-scrutiny consumer SEC code from a NACHA compliance perspective. The account validation requirement, combined with the 60-day unauthorized return window, makes WEB authorization management critical for credit repair and online-enrollment businesses. GoACH’s platform includes built-in WEB debit authorization workflows with account validation integration.

WEB vs. TEL: If the consumer authorized by phone rather than online, use TEL — not WEB. Misclassifying TEL-authorized transactions as WEB violates NACHA rules.

SEC Code
TEL

Telephone-Initiated Entry

Single-entry consumer debits authorized orally by telephone. Restricted to existing customer relationships or inbound calls. Requires a recorded authorization or written confirmation.

Authorization Requirements

  • Authorization must be obtained orally via telephone from the consumer
  • Originator must either record the oral authorization or provide written notice to the consumer before settlement
  • TEL is limited to: (1) an existing customer relationship, OR (2) a consumer-initiated inbound call
  • TEL cannot be used to initiate recurring debits — single entry only
  • The recorded authorization or written notice must be retained for 2 years

Common Return Codes

  • R01 — Insufficient Funds
  • R02 — Account Closed
  • R07 — Authorization Revoked by Consumer
  • R10 — Customer Advises Not Authorized
  • R15 — Beneficiary or Account Holder Deceased

Who uses TEL: Debt collection agencies collecting phone-authorized payments, insurance companies processing one-time premium payments by phone, and any business accepting single ACH payments via inbound customer calls.

Existing relationship restriction: TEL cannot be used for outbound calls to consumers with whom you have no prior relationship. Cold outbound calls requesting ACH authorization are not eligible for TEL — this is one of the most commonly misunderstood TEL restrictions.

Single-entry limitation: TEL is for one-time debits only. If the consumer authorizes recurring payments by phone, you must obtain a written or electronic authorization (PPD or WEB) for the recurring series.

High-risk context: For debt collection agencies, TEL is operationally common but compliance-intensive. GoACH recommends maintaining a systematic authorization archive for all TEL transactions given the 60-day unauthorized return window and R10 return risk inherent in collections contexts.

Quick Reference

ACH SEC codes comparison table

Use this table to determine the correct SEC code for your transaction type and authorization method.

SEC Code Full Name Account Type Authorization Method Recurring? Account Validation Primary Use Case
CCD Corporate Credit or Debit Business checking/savings Written or electronic business authorization Yes Not required MCA daily debits, B2B vendor payments, business payroll
PPD Prearranged Payment & Deposit Consumer checking/savings Written/signed paper or electronic authorization Yes Not required Credit repair monthly fees, debt settlement plans, consumer subscriptions
WEB Internet-Initiated Debit Consumer checking/savings Online form, portal, or electronic agreement Yes Required (NACHA 2022 rule) Online enrollment billing, e-commerce ACH, digital subscription services
TEL Telephone-Initiated Entry Consumer checking/savings Oral authorization via inbound or existing-relationship phone call No (single entry only) Not required Collections one-time payments, inbound phone payments, insurance premium by phone
Return Rate Thresholds

NACHA return rate thresholds

NACHA monitors three return rate levels across an originator’s ACH activity. Exceeding a level is not automatically a violation of the Operating Rules — it allows NACHA to open a preliminary inquiry into the originator’s origination practices.

Threshold Level What it covers
Unauthorized return rate 0.5% Debits returned as unauthorized (R05, R07, R10, R29, R51)
Administrative return rate 3.0% R02, R03, and R04 — account number and data errors
Overall return rate 15.0% All returns combined, across every return reason code
Other SEC Codes

Additional SEC codes you may encounter

While CCD, PPD, WEB, and TEL cover most business ACH use cases, NACHA recognizes additional SEC codes for specialized transaction types. GoACH supports CCD, PPD, WEB, and TEL natively.

SEC Code Full Name What it is
ACK ACH Payment Acknowledgment A zero-dollar acknowledgment entry an RDFI returns to confirm receipt of a CCD credit.
ARC Accounts Receivable Entry A one-time consumer debit that converts an eligible check received by mail or drop box into an ACH entry.
BOC Back Office Conversion A one-time consumer debit converting a check accepted in person (point of sale or manned bill-payment location), converted during back-office processing.
CIE Customer Initiated Entry A consumer-initiated ACH credit, typically a bill payment the consumer pushes through a bill-pay service.
CTX Corporate Trade Exchange A B2B entry carrying up to 9,999 addenda records of remittance or EDI data — used for corporate trade payments with detailed invoice information.
IAT International ACH Transaction An entry that is part of a payment involving a financial agency outside the U.S.; carries mandatory OFAC screening and additional addenda.
POP Point of Purchase A one-time consumer debit created from a check presented in person at the point of purchase and converted to ACH.
POS Point of Sale A debit at an electronic terminal to purchase goods or services, usually via an access or debit device.
RCK Re-presented Check Entry An ACH debit that re-presents a paper check previously returned for insufficient or uncollected funds (NSF).
TRC Truncated Entry An entry used within check-truncation programs, where the original paper check is retained and only the payment data is transmitted.

If your transaction type doesn’t fit CCD, PPD, WEB, or TEL, contact GoACH’s team to determine the correct SEC code before originating — misclassification is a NACHA compliance violation regardless of intent.

FAQ

ACH SEC code frequently asked questions

Which SEC code should I use?
Use CCD for debits against business bank accounts, such as MCA daily debits and B2B vendor payments. Use PPD for consumer debits authorized by a signed paper or offline authorization. Use WEB for consumer debits authorized online through a web form or portal. Use TEL for one-time consumer debits authorized by phone during an inbound or existing-relationship call.
What is the most common ACH SEC code?
PPD and CCD are the two most widely used SEC codes. PPD covers most recurring consumer billing, while CCD covers business-to-business debits and credits, including merchant cash advance daily debits.
Which SEC code is used for payroll?
Direct-deposit payroll uses PPD credits — the employer credits employees’ consumer bank accounts under a standing authorization. Business-to-business payroll funding between company accounts uses CCD.
What is the difference between CCD and PPD?
CCD is for business bank accounts and requires a business authorization; PPD is for consumer accounts and requires a written consumer authorization. Using PPD to debit a business account — or CCD to debit a consumer account — is a NACHA misclassification.
What SEC code do I use for a one-time online payment?
WEB. Any consumer debit authorized through a website, portal, or electronic agreement is a WEB entry and is subject to NACHA’s account-validation requirement, even if the payment only happens once.
What is the ACH return window for unauthorized transactions?
Standard returns must be made within 2 banking days. Unauthorized returns (R05, R07, R10) have an extended window of 60 calendar days from the settlement date for consumer entries.
What happens if I use the wrong SEC code?
Using the wrong SEC code is a violation of NACHA Operating Rules. Consequences range from return complications to compliance findings during a NACHA audit. For high-risk ACH accounts where processing privileges are conditional, repeated SEC code misclassification can contribute to account suspension. GoACH’s onboarding process identifies and configures the correct SEC code(s) for your business based on your authorization channels.
Can I use multiple SEC codes on the same GoACH account?
Yes. Many businesses use more than one SEC code depending on how transactions are authorized. An MCA funder might use CCD for daily debits and PPD for a consumer-facing product. Each SEC code is configured and monitored separately within GoACH’s platform, with return rate tracking maintained independently for each code.
What is the difference between PPD and WEB?
Both PPD and WEB are used for consumer ACH debits, but the key difference is the authorization channel. PPD requires a written authorization — a signed paper form or a document the consumer signed offline. WEB is specifically for authorizations obtained through an internet interface — a website form, online portal, or digital enrollment flow. If the consumer filled out a form on your website, WEB is the correct code. Using PPD for internet-obtained authorizations is a NACHA violation.
Does the 2022 NACHA account validation rule apply to all WEB debits?
Yes. Since March 19, 2022, all WEB debit originators are required to use a commercially reasonable fraudulent transaction detection system and validate consumer account information before the first debit in a series. GoACH’s platform includes WEB account validation workflows to ensure compliance with this requirement.
What SEC code should MCA companies use for daily debits?
CCD is the correct SEC code for MCA daily debits. MCA repayment debits are drawn from business (not consumer) checking accounts, and the authorization is contained within the merchant cash advance agreement signed by the business. Using PPD or WEB for MCA debits against business accounts would be a NACHA misclassification. Learn more about MCA daily debit processing →
How long do I need to retain ACH authorization records?
NACHA requires ACH authorization records to be retained for a minimum of 2 years after the termination or revocation of the authorization. For high-risk businesses where unauthorized return disputes are more likely, GoACH recommends maintaining authorization records for the full retention period in an easily retrievable format — this is your primary defense against R05, R07, and R10 unauthorized return claims.
Process ACH with GoACH

Need ACH processing with full SEC code support?

GoACH supports CCD, PPD, WEB, and TEL with built-in authorization management and real-time return rate monitoring for each code.

About This Guide

Last reviewed June 2026 by the GoACH Compliance Team.

This ACH SEC code reference is published by GoACH, a NACHA-compliant ACH payment processor operated by Unity FI Solutions LLC, headquartered in Charlotte, NC. GoACH specializes in high-risk ACH processing for merchant cash advance, credit repair, debt settlement, and collections — industries where correct SEC code usage and return rate management are operationally critical.

Related resources: ACH Return Codes reference · High-Risk ACH Processing · ACH Payment Processor · MCA Daily Debit Processing · High-Risk ACH FAQ