ACH SEC Codes: Complete Guide to Standard Entry Class Codes | GoACH

ACH Reference Guide

ACH SEC Codes: The Complete Guide to Standard Entry Class Codes

Standard Entry Class (SEC) codes define how an ACH transaction was authorized and how it should be processed. Every ACH debit and credit carries one. This reference covers all four primary SEC codes used in B2B and high-risk ACH processing — CCD, PPD, WEB, and TEL — with authorization requirements, return code exposure, and practical use cases for MCA and specialty verticals.

Start processing ACH →

What Is a SEC Code?

The three-letter code that governs how every ACH transaction is authorized

A Standard Entry Class (SEC) code is a three-character code assigned by NACHA that identifies the authorization method and transaction type for an ACH entry. SEC codes appear in the batch header of every ACH file and tell the Receiving Depository Financial Institution (RDFI) how the transaction was authorized, what the appropriate return window is, and which NACHA Operating Rules apply to disputes and returns.

SEC codes are not optional or stylistic — using the wrong SEC code is a NACHA Operating Rules violation that can result in fines, return rate penalties, or account termination. For high-risk businesses where ACH processing privileges are already conditional, SEC code compliance is operationally critical.

NACHA recognizes over 20 SEC codes, but four codes account for the vast majority of business ACH transactions: CCD (business-to-business), PPD (consumer with written authorization), WEB (internet-initiated consumer debits), and TEL (phone-authorized consumer debits). GoACH supports all four natively, with built-in authorization management and return code monitoring for each.

In this guide

SEC Code
CCD

Corporate Credit or Debit

B2B ACH transactions between business bank accounts. The standard SEC code for merchant cash advance daily debits.

Authorization Requirements

  • Written or electronic authorization from the receiving business entity
  • Authorization must identify the company name, amount, and effective date
  • No specific format mandated — a signed MCA agreement or ACH debit authorization form qualifies
  • Authorization must be retained for 2 years after the last transaction

Common Return Codes

  • R01 — Insufficient Funds (most common for daily debits)
  • R02 — Account Closed
  • R03 — No Account / Unable to Locate Account
  • R04 — Invalid Account Number
  • R07 — Authorization Revoked (triggers unauthorized return tracking)
  • R10 — Customer Advises Not Authorized (impacts unauthorized threshold)

Who uses CCD: Merchant cash advance funders use CCD for daily ACH debits against merchant business checking accounts — this is the primary SEC code in MCA operations. B2B vendors, payroll processors, and corporate treasury functions also use CCD for routine business-to-business transfers.

Return window: The RDFI has 2 banking days to return a CCD transaction for most return reason codes. For unauthorized returns (R07, R10), the return window extends to 60 calendar days from the settlement date.

High-risk context: CCD is generally lower-risk than consumer SEC codes because both parties are businesses, and business bank account holders have fewer unauthorized return protections than consumers. For MCA funders, this makes CCD the preferred SEC code — but high-volume daily debits still require careful return rate management. GoACH’s AI risk engine monitors CCD return patterns in real time, with particular attention to R01 clusters that signal merchant financial stress before they escalate into R02 or R03 closures.

GoACH and CCD: GoACH’s platform is purpose-built around CCD for MCA operations. Features include intelligent retry logic trained on CCD return code patterns, same-day settlement for daily debit portfolios, and portfolio-level return rate dashboards broken down by merchant, batch, and return code.

SEC Code
PPD

Prearranged Payment and Deposit

Consumer ACH transactions authorized via written agreement. The standard code for recurring consumer billing — credit repair, debt settlement, and subscription services.

Authorization Requirements

  • Written authorization signed or similarly authenticated by the consumer
  • Must include company name, consumer name, account number, routing number, and debit amount (or variable amount terms)
  • For recurring debits, authorization must be provided in advance of the first transaction
  • Authorization must be provided to the consumer and retained for 2 years after last transaction
  • Consumer must be given notice before the amount or date changes

Common Return Codes

  • R01 — Insufficient Funds
  • R02 — Account Closed
  • R05 — Unauthorized Debit to Consumer Account (counts toward 0.5% unauthorized threshold)
  • R07 — Authorization Revoked by Consumer
  • R10 — Customer Advises Not Authorized
  • R29 — Corporate Customer Advises Not Authorized (rare but severe)

Who uses PPD: Credit repair companies collecting monthly service fees, debt settlement companies processing payment plan installments, insurance premium finance companies, and any business running recurring consumer billing with a signed authorization on file.

Return window: Standard returns: 2 banking days. Unauthorized returns (R05, R07, R10): 60 calendar days from settlement date for consumers. This extended unauthorized return window is a significant risk factor for high-volume consumer billing operations.

High-risk context: PPD carries more consumer protection than CCD because the RDFI has greater latitude to process unauthorized return claims. For credit repair and debt settlement companies — where customer disputes are structurally more common — maintaining clean PPD authorization records is critical. GoACH’s platform monitors R05, R07, and R10 returns separately to protect your 0.5% unauthorized return threshold.

PPD vs. WEB: If the consumer authorized the debit online (via a form, portal, or electronic signature), WEB is the correct code — not PPD. Using PPD for internet-initiated transactions is a NACHA compliance violation.

SEC Code
WEB

Internet-Initiated Debit Entry

Consumer debits authorized via the internet — online forms, portals, or electronic signatures. Carries the strictest account validation requirements of any consumer SEC code.

Authorization Requirements

  • Consumer authorization must be obtained via the internet — a web form, online portal, or electronic agreement
  • The originator must use a commercially reasonable fraudulent transaction detection system
  • Account validation required: NACHA mandates account validation for WEB debits since March 2022
  • The authorization must clearly state the debit terms and be retained
  • Consumers must be able to revoke authorization online

Common Return Codes

  • R01 — Insufficient Funds
  • R02 — Account Closed
  • R10 — Customer Advises Not Authorized (most common unauthorized return for WEB)
  • R29 — Corporate Customer Advises Not Authorized
  • R23 — Credit Entry Refused by Receiver (for WEB credits)

Who uses WEB: Any business that accepts ACH payment authorizations through a website, online application, or digital portal. Credit repair companies with online enrollment forms, debt settlement companies with digital client agreements, and SaaS platforms with online billing all use WEB for consumer ACH debits.

The 2022 account validation rule: Since March 19, 2022, NACHA requires all WEB debit originators to use a commercially reasonable method of account validation before the first debit. Acceptable methods include real-time account verification services (Plaid, Yodlee, Finicity), micro-deposit verification, or pre-note testing.

High-risk context: WEB is the highest-scrutiny consumer SEC code from a NACHA compliance perspective. The account validation requirement, combined with the 60-day unauthorized return window, makes WEB authorization management critical for credit repair and online-enrollment businesses. GoACH’s platform includes built-in WEB debit authorization workflows with account validation integration.

WEB vs. TEL: If the consumer authorized by phone rather than online, use TEL — not WEB. Misclassifying TEL-authorized transactions as WEB violates NACHA rules.

SEC Code
TEL

Telephone-Initiated Entry

Single-entry consumer debits authorized orally by telephone. Restricted to existing customer relationships or inbound calls. Requires a recorded authorization or written confirmation.

Authorization Requirements

  • Authorization must be obtained orally via telephone from the consumer
  • Originator must either record the oral authorization or provide written notice to the consumer before settlement
  • TEL is limited to: (1) an existing customer relationship, OR (2) a consumer-initiated inbound call
  • TEL cannot be used to initiate recurring debits — single entry only
  • The recorded authorization or written notice must be retained for 2 years

Common Return Codes

  • R01 — Insufficient Funds
  • R02 — Account Closed
  • R07 — Authorization Revoked by Consumer
  • R10 — Customer Advises Not Authorized
  • R15 — Beneficiary or Account Holder Deceased

Who uses TEL: Debt collection agencies collecting phone-authorized payments, insurance companies processing one-time premium payments by phone, and any business accepting single ACH payments via inbound customer calls.

Existing relationship restriction: TEL cannot be used for outbound calls to consumers with whom you have no prior relationship. Cold outbound calls requesting ACH authorization are not eligible for TEL — this is one of the most commonly misunderstood TEL restrictions.

Single-entry limitation: TEL is for one-time debits only. If the consumer authorizes recurring payments by phone, you must obtain a written or electronic authorization (PPD or WEB) for the recurring series.

High-risk context: For debt collection agencies, TEL is operationally common but compliance-intensive. GoACH recommends maintaining a systematic authorization archive for all TEL transactions given the 60-day unauthorized return window and R10 return risk inherent in collections contexts.

Quick Reference

ACH SEC codes comparison table

Use this table to determine the correct SEC code for your transaction type and authorization method.

SEC Code Full Name Account Type Authorization Method Recurring? Account Validation Primary Use Case
CCD Corporate Credit or Debit Business checking/savings Written or electronic business authorization Yes Not required MCA daily debits, B2B vendor payments, business payroll
PPD Prearranged Payment & Deposit Consumer checking/savings Written/signed paper or electronic authorization Yes Not required Credit repair monthly fees, debt settlement plans, consumer subscriptions
WEB Internet-Initiated Debit Consumer checking/savings Online form, portal, or electronic agreement Yes Required (NACHA 2022 rule) Online enrollment billing, e-commerce ACH, digital subscription services
TEL Telephone-Initiated Entry Consumer checking/savings Oral authorization via inbound or existing-relationship phone call No (single entry only) Not required Collections one-time payments, inbound phone payments, insurance premium by phone

Other SEC Codes

Additional SEC codes you may encounter

While CCD, PPD, WEB, and TEL cover most business ACH use cases, NACHA recognizes additional SEC codes for specialized transaction types. GoACH supports CCD, PPD, WEB, and TEL natively.

ACK — ACH Payment Acknowledgment
ARC — Accounts Receivable Entry
BOC — Back Office Conversion
CIE — Customer Initiated Entry
CTX — Corporate Trade Exchange
IAT — International ACH Transaction
POP — Point of Purchase
POS — Point of Sale
RCK — Re-presented Check Entry
TRC — Truncated Entry

If your transaction type doesn’t fit CCD, PPD, WEB, or TEL, contact GoACH’s team to determine the correct SEC code before originating — misclassification is a NACHA compliance violation regardless of intent.

FAQ

ACH SEC code frequently asked questions

What happens if I use the wrong SEC code?
Using the wrong SEC code is a violation of NACHA Operating Rules. Consequences range from return complications to compliance findings during a NACHA audit. For high-risk ACH accounts where processing privileges are conditional, repeated SEC code misclassification can contribute to account suspension. GoACH’s onboarding process identifies and configures the correct SEC code(s) for your business based on your authorization channels.
Can I use multiple SEC codes on the same GoACH account?
Yes. Many businesses use more than one SEC code depending on how transactions are authorized. An MCA funder might use CCD for daily debits and PPD for a consumer-facing product. Each SEC code is configured and monitored separately within GoACH’s platform, with return rate tracking maintained independently for each code.
What is the difference between PPD and WEB?
Both PPD and WEB are used for consumer ACH debits, but the key difference is the authorization channel. PPD requires a written authorization — a signed paper form or a document the consumer signed offline. WEB is specifically for authorizations obtained through an internet interface — a website form, online portal, or digital enrollment flow. If the consumer filled out a form on your website, WEB is the correct code. Using PPD for internet-obtained authorizations is a NACHA violation.
Does the 2022 NACHA account validation rule apply to all WEB debits?
Yes. Since March 19, 2022, all WEB debit originators are required to use a commercially reasonable fraudulent transaction detection system and validate consumer account information before the first debit in a series. GoACH’s platform includes WEB account validation workflows to ensure compliance with this requirement.
What SEC code should MCA companies use for daily debits?
CCD is the correct SEC code for MCA daily debits. MCA repayment debits are drawn from business (not consumer) checking accounts, and the authorization is contained within the merchant cash advance agreement signed by the business. Using PPD or WEB for MCA debits against business accounts would be a NACHA misclassification. Learn more about MCA daily debit processing →
How long do I need to retain ACH authorization records?
NACHA requires ACH authorization records to be retained for a minimum of 2 years after the termination or revocation of the authorization. For high-risk businesses where unauthorized return disputes are more likely, GoACH recommends maintaining authorization records for the full retention period in an easily retrievable format — this is your primary defense against R05, R07, and R10 unauthorized return claims.

Process ACH with GoACH

Need ACH processing with full SEC code support?

GoACH supports CCD, PPD, WEB, and TEL with built-in authorization management and real-time return rate monitoring for each code.

Apply for an ACH account →
View ACH return codes →

About This Guide

This ACH SEC code reference is published by GoACH, a NACHA-compliant ACH payment processor operated by Unity FI Solutions LLC, headquartered in Charlotte, NC. GoACH specializes in high-risk ACH processing for merchant cash advance, credit repair, debt settlement, and collections — industries where correct SEC code usage and return rate management are operationally critical.

Related resources: ACH Return Codes reference · High-Risk ACH Processing · ACH Payment Processor · MCA Daily Debit Processing · High-Risk ACH FAQ