Proof of Authorization & NACHA Compliance Guide
A Complete Resource for Merchants Using ACH Transactions
1. Introduction to Proof of Authorization (POA)
Before you debit your customer’s bank account through the ACH Network, you are legally required to obtain their authorization. This is referred to as Proof of Authorization (POA), and it is essential for ensuring that each transaction is secure, valid, and compliant with NACHA regulations.
An ACH POA is a legally binding agreement between the payor and payee that outlines the transaction’s terms. NACHA requires merchants to retain POA records for two years following the date of the last transaction.
2. Why POA Compliance Is Essential
Maintaining POA compliance helps merchants to:
✅ Protect against unauthorized transaction disputes
✅ Avoid costly chargebacks and funding holds
✅ Prevent monthly non-compliance penalties
✅ Ensure smooth operation and avoid termination of ACH processing services
If a customer disputes a transaction through a Written Statement of Unauthorized Debit (WSUD), the bank may require you to produce valid POA. Failing to do so can result in the return of funds and a violation of NACHA rules.
3. General POA Requirements
Every Proof of Authorization should include the following information:
Merchant's Name and Contact Information
Customer's Name and Contact Information
Payment Details
Type: One-time, recurring, or installment
Authorization Statement
Recourse Statement
Return or cancellation policy
Payor’s Bank Details
Routing number
Account number
Account type (checking/savings)
Date of Agreement and Signature
4. POA Requirements by SEC Code/Transaction Type
ARC – Accounts Receivable Truncated Check Entry
Provide clear notice to the customer before processing a check.
Acceptable via mail or drop-box.
The check must:
Contain a pre-printed serial number
Be for $25,000 or less
Match the face value (no added fees)
Be signed by the customer
POA must include:
A copy of the source document (check)
Copy of the consumer notice
Example Notice Language:
“When you provide a check as payment, you authorize us either to use information from your check to make a one-time electronic fund transfer from your account or to process the payment as a check transaction.”
POP – Point-of-Purchase Entry
Written authorization and original check required at the point of sale.
Check amount must be $25,000 or less.
Provide the customer with a receipt including:
Merchant name
Phone number
Date and amount
Check serial number
Merchant ID
Terminal city and state
PPD – Prearranged Payment or Deposit Entry
Requires a signed written authorization from the consumer.
Must include:
Merchant and customer information
Customer's routing number and account number
Account type (personal/business, checking/savings)
Payment amount or range
Payment timing and frequency
Language explaining how to revoke authorization
? Note: PPD credits do not require written authorization.
CCD – Corporate Debit or Credit Entry
Requires a signed written business contract.
If initiated online, follow WEB authorization rules.
Merchants are encouraged to include as many PPD elements as possible.
TEL – Telephone-Initiated Entry
Requires either:
An audio recording of verbal authorization, or
A follow-up letter sent to the customer before settlement
Single-entry TEL POA must include:
Transaction date and amount
Customer name and account number
Customer's phone number
Date of verbal authorization
Method for revoking authorization
Recurring TEL entries must also include:
Frequency, start/end dates, and number of payments
WEB – Internet-Initiated Entry
Requires digital/electronic authorization.
Authorization must include:
Customer’s identity and assent
Clear terms of the transaction
Revocation instructions
Electronic signature or secure confirmation
Timestamp and IP address
Minimum POA Requirements for Credit Card Debits
Even for credit card transactions, merchants must retain:
A copy of the signed receipt or
A copy of the internet authorization
5. Responding to a POA Request
There are two main types of POA requests:
A. POA Request from the Bank
Occurs when a customer files a WSUD
You must respond within 10 business days
If valid POA is provided, the bank may deny the return
B. POA Request from iCheckGateway (iCG)
Part of annual merchant audits
You must respond within 7 business days
Provide POA and supporting documentation through a secure upload link
What to Include in Your Response:
A valid POA with all required details
Transaction confirmation and supporting documents
For recurring or standing authorizations, include both the original and the subsequent transaction authorization
6. What Happens If You Don’t Respond?
If no valid POA is submitted: ❌ The transaction may be returned as unauthorized
❌ You may be charged non-compliance fees
❌ Your account may be subject to review or termination
7. Best Practices for POA Compliance
✅ Collect proper authorization for every ACH or card transaction
✅ Train staff on identifying the correct authorization type
✅ Store all POAs securely for two years
✅ Review NACHA guidelines regularly
✅ Respond promptly to any POA requests
8. Quick POA Compliance Checklist
| Requirement | Included? |
|---|---|
| Merchant & Customer Information | ✅ |
| Payment Type and Frequency | ✅ |
| Authorization & Recourse Statements | ✅ |
| Bank Account Details | ✅ |
| Date and Signature | ✅ |
| Format Matches Transaction Type (ARC, PPD, etc.) | ✅ |
| POA Stored for at Least Two Years | ✅ |
| Response Prepared for Bank/iCG Requests | ✅ |
Need Help?
For further assistance or to learn more about maintaining ACH compliance, contact our Compliance Team or visit:
?Submit a ticket : Support Services