Every year, businesses that originate ACH transactions are subject to an ACH audit, as required by the NACHA Operating Rules. While many audits go smoothly, there are a handful of recurring issues that pop up year after year. Some are simple, others potentially serious. Whether you’re preparing for an upcoming audit or looking to tighten up your existing ACH practices, understanding these common findings is a smart place to start.

Below are some of the most frequent ACH audit findings, along with insights and recommendations for how to avoid them:

NACHA Guidelines, Chapter 56

Chapter 56 of the NACHA Rules covers the audit requirements that every ACH Originator and Third-Party Sender must follow. It requires an annual audit to ensure compliance with the NACHA Operating Rules and recommends documentation for each key function. Failure to perform this audit or maintain documentation can result in non-compliance findings.

Tip: Make sure your audit is performed annually by a qualified party and that you retain clear documentation of the audit scope, findings, and corrective actions taken.

Annual Review of NACHA Contact List

NACHA requires that each company maintain and annually review its contact information in NACHA’s database. This ensures that your organization can be contacted in the event of a network or transaction issue.  [When working with Viking, this information is located on Schedule E of your ACH Origination Agreement]

Tip: Set a calendar reminder to review and update your NACHA contact list every 12 months.

Annual ACH Risk Assessment Must Include Risk Ratings

The Risk Assessment is more than a formality. NACHA expects a formal risk assessment document that includes risk ratings for each threat and control in your ACH process.

Tip: Document not only risks, but also the impact, likelihood, and controls in place. Assign risk levels to each category, such as Low, Medium, or High.

Proper Use of SEC Codes

Improper use of Standard Entry Class (SEC) Codes, such as using PPD instead of WEB for internet-authorized transactions, is a frequent finding.

Tip: Confirm that every transaction is being coded appropriately. For example:
• PPD: Prearranged payment and deposit (consumer, pre-authorized)
• WEB: Consumer-initiated internet or mobile transactions
• TEL: Telephone-initiated

Origination Agreements Missing or Incomplete

Originators are required to have signed agreements with all parties involved in ACH transactions, including clear authorization language and responsibilities.

Tip: Review your agreements annually and ensure all parties are documented and acknowledged in writing.

Failure to Act on Notice of Change (NOC)

When a financial institution issues a Notice of Change, you’re required to update your records before the next transaction or within six banking days, whichever comes first.

Tip: Assign ownership of NOC monitoring and include this step in your daily ACH processing checklist.

Return Processing Inconsistencies

ACH returns must be processed quickly and accurately. A delay in responding to unauthorized debits or incorrect return coding is a compliance risk.

Missing “RETRY PYMT” Code for Reinitiated Payments

If a payment is reinitiated due to insufficient funds, NACHA rules require the word “RETRY PYMT” in the Company Entry Description field. Without it, the transaction could be flagged as unauthorized.

Tip: Automate the insertion of “RETRY PYMT” into all reinitiated NSF entries to ensure compliance.

Lack of a Business Continuity Plan

Many businesses fail to create or test a formal Business Continuity Plan for ACH operations, which is a NACHA expectation.

Tip: Draft a documented plan outlining how ACH processing will continue in the event of a disruption. Test it annually and keep logs of those tests.

Missing or Outdated Reg E Disclosures

The Electronic Funds Transfer Act (Regulation E) requires specific consumer disclosures, such as dispute rights and liability limits. These must appear on account statements or statement backers.

Tip: Review your Reg E disclosures annually and confirm that consumers receive them through appropriate channels.

Terms and Conditions Lacking ACH Language

Many merchant agreements and consumer-facing Terms and Conditions lack clear language about ACH authorization, dispute procedures, and usage of recurring entries.

Tip: Add a section to your Terms and Conditions that explains how ACH transactions are authorized and handled. Include clear consent language.

Final Thoughts

Being prepared for your next ACH audit starts with awareness. These common findings don’t just reflect compliance oversights, they point to real operational risks that could lead to fines, returns, or customer dissatisfaction.

Want help tightening up your ACH processes? Reach out to your Viking representative today.