Try for Free
Try for Free

ACH Authorization Form: What It Must Say in 2026 (Free Template + AI Generator)

Helena Kozlova
Written by
Helena Kozlovain
Legal Content Specialist, AI Lawyer
~10 min read · Updated June 2026
Kamal Tserakhau
Fact-checked by
Kamal Tserakhauin
Legal Team Lead · AI Lawyer
Reviewed for accuracy · Verified June 2026
An ACH debit authorization form naming the company, the bank account with account type, an 89 dollar monthly schedule, and 10-day revocation terms, e-signed with a timestamp and stamped authorized, next to a voided check used only for account verification
An ACH debit authorization done right: the consent names the company, the account, the amount and schedule, and how to revoke, and the e-signature is captured with a timestamp. That is the record your bank will ask for when a payment is disputed.

An ACH authorization form is the written or electronic consent that lets a business debit or credit someone's bank account through the Automated Clearing House network. The network moved 33.6 billion payments worth $86.2 trillion in 2024, and every legitimate one of them traces back to an authorization. Most free templates get the blanks right and still leave businesses exposed, because the rules around the form changed in 2026 and almost nobody updated the paperwork.

The short answer

A compliant ACH authorization form needs six things: who is being paid and who is paying, the bank account details with the account type, whether the entry is a one-time or recurring debit or credit, the amount or a clear method for setting it, the schedule, and revocation language that states exactly how and when the customer can cancel. Electronic signatures are valid if you authenticate the signer and can reproduce the record. Keep every authorization for at least two years after it ends. New for 2026: by June 19, every business that originates ACH debits must have documented fraud-monitoring procedures under the Nacha risk rules, and since March 20, online purchases of goods must be described as PURCHASE and wage payments as PAYROLL in the entry description.

This article is general information for a U.S. audience, not legal or compliance advice. The Nacha Operating Rules change on a fixed annual cycle and your bank may impose stricter requirements. Confirm current rules with your ODFI before relying on any template.

Need an ACH authorization form today? AI Lawyer drafts a debit or credit authorization from a few questions: parties, amount or range, schedule, and revocation terms, with the consent language banks expect. Free to try, no credit card.
Draft my form →
33.6BACH payments in 2024, worth $86.2 trillion
June 19, 2026every ACH originator must have fraud-monitoring procedures
2 yearsminimum retention after an authorization ends
60 daysconsumer window to dispute an unauthorized debit under Regulation E

You might also like:

What is an ACH authorization form?

An ACH authorization form is the consent record that permits a business to move money to or from a bank account over the ACH network. It identifies the parties, captures the routing and account numbers and account type, states whether the payment is a single entry or recurring, fixes the amount or the method for determining it, and explains how the account holder can revoke. Under the Nacha Operating Rules, a debit to a consumer account is only valid if this authorization exists and can be produced on request.

The form matters because ACH is a pull-capable network. Once a customer hands over a routing and account number with consent, the originator can draw funds on a schedule, which is exactly why the rules demand clear terms and an exit route.

Banks call the business collecting the payment the Originator, the business's bank the ODFI, and the customer's bank the RDFI. When a payment is disputed, the chain runs backward: the RDFI asks the ODFI, the ODFI asks you, and the only acceptable answer is a copy of the signed authorization.

Download the free ACH Authorization Form Template or build a customized one with the AI Generator, then have your ODFI or counsel confirm it matches how you actually bill.

Do you need a debit authorization or a credit authorization?

A debit authorization lets you pull money from someone's account: subscriptions, rent, tuition, installment payments, invoices. A credit authorization lets you push money to someone's account: payroll direct deposit, vendor payouts, refunds. Debits carry nearly all of the compliance weight, because the customer's money moves on your initiative and the dispute rights are correspondingly stronger.
ACH debit authorization versus ACH credit authorization: debits pull funds from the customer account and require signed reproducible consent with revocation terms, credits push funds for payroll, vendor payouts, and refunds and mainly require accurate bank details
The direction of the money decides the form. Pulling funds requires signed consent you can reproduce; pushing funds mostly requires accurate bank details and basic consent.

For credits, the form is mostly an accuracy device: legal name, bank details, account type, and a signature so nobody can later claim the deposit went astray on your initiative. Employee direct-deposit and vendor ACH enrollment forms live here.

For debits, the form is a legal safeguard. The Nacha rules require that a consumer debit authorization be readily identifiable as an authorization, with clear and readily understandable terms. The customer must be able to tell what they agreed to, for how much, on what dates, and how to stop it.

One more distinction worth writing into the form: single entry versus recurring versus standing authorization. A standing authorization, recognized by the rules since 2021, is an advance consent on file that lets the customer trigger individual payments later, and it changes which entry codes your processor uses.

What must an ACH authorization form include to be Nacha-compliant?

Six elements: the parties (originator and account holder), the bank details (routing number, account number, checking or savings), the transaction type (debit or credit, one-time or recurring), the amount or a defined method or range for variable amounts, the timing (dates or frequency and start date), and revocation terms that state the manner and notice period for cancelling. Add a signature with a date, and for electronic forms an authentication trail such as a timestamp and IP address.

Nacha publishes a model consumer debit authorization, and its quiet details are what most homemade forms miss. The model consent authorizes the company to debit the account and, if necessary, to credit it to correct erroneous debits, which spares you a second consent when you fix a mistake.

ElementWhat to writeWhy it matters
PartiesLegal names of the company and the account holder, with contact detailsThe dispute chain starts with identifying who authorized whom
Bank detailsRouting number, account number, checking or savingsA wrong account type alone can cause a return
Transaction typeDebit or credit; one-time, recurring, or standingDetermines the consent language and the SEC code
AmountFixed amount, a stated range, or the method of determining itVariable amounts without a stated range invite R10 disputes
ScheduleDates or frequency plus the start dateThe customer must be able to predict every debit
RevocationThe exact manner (in writing, by phone, address) and notice periodThe rules require revocation terms in written debit authorizations

The revocation clause deserves the most care. The Nacha model form leaves blanks for the manner of revocation and the notice period precisely because vague language like "contact us to cancel" fails its standard: the authorization must state the time and manner in which the customer can revoke, giving you a reasonable chance to act before the next debit. Ten to fifteen days written notice is the common choice.

For variable-amount recurring debits to consumers, federal law adds a second clock: under the Electronic Fund Transfer Act framework, the customer is entitled to notice of the amount and date before a debit that varies from the prior one, which is why subscription companies send the pre-debit email.

What changed in the Nacha rules in 2026?

Two things, both live now. Since March 20, 2026, originators must use standardized entry descriptions: PAYROLL for PPD wage and salary credits, and PURCHASE for WEB debits collecting online purchases of goods. And under the fraud-monitoring amendments, ODFIs and the largest originators had to implement risk-based fraud-monitoring procedures by March 20, 2026, with every remaining originator, third-party sender, and third-party service provider covered by June 19, 2026, regardless of size.
Timeline of the 2026 Nacha rule changes: March 20, 2026 mandatory PURCHASE and PAYROLL entry descriptions and Phase 1 fraud monitoring for the largest originators, June 19, 2026 Phase 2 extending risk-based fraud monitoring to every originator and third-party sender
The 2026 Nacha risk-management timeline. The June 19 phase pulls every business that originates ACH debits into the fraud-monitoring requirement, including small ones.

The fraud-monitoring rule is the one that surprises small businesses. It is not aimed only at banks: each non-consumer originator must establish and implement risk-based processes reasonably designed to identify ACH entries initiated due to fraud. Phase 1 on March 20, 2026 covered ODFIs and originators with more than 6 million ACH transactions in 2023. Phase 2 closes the gap on June 19, 2026 and applies to everyone else who originates, even a yoga studio drafting twenty memberships a month.

In practice, compliance looks like documented procedures: verifying a new customer's account before the first debit, watching for velocity and anomaly patterns, and reviewing returns. Your authorization workflow is the natural anchor for those controls, which is why updating the form and the enrollment process together is the efficient move.

The entry-description rule is smaller but visible to customers. The word PURCHASE or PAYROLL now appears in the bank-statement description for covered entries, so your authorization and your customer communications should match the wording the customer will see, reducing "I do not recognize this" disputes.

If your volume runs through a processor or platform, ask one question before June 19: who performs the fraud monitoring required by the 2026 amendments, you or them, and where is it documented. The rules allow the work to sit with a third party, but the obligation stays with the parties named in the rule.

Is an electronic ACH authorization valid?

Yes. The Nacha rules treat similarly authenticated electronic consents as equivalent to signed paper, consistent with the federal E-SIGN Act. The requirements are that you authenticate the signer, present the consent terms clearly, and retain a record you can reproduce, which in practice means capturing the exact consent text, a timestamp, and an IP address or device identifier.

For internet-initiated debits, a separate rule already requires account validation: the first time you debit a newly provided account number, you must have verified it through a method such as micro-deposits, an instant account-verification service, or a prenote. Skipping validation is both a rules violation and the single most common source of administrative returns.

Phone authorizations are also possible for consumer debits, but only with either a recording of the oral authorization or a written confirmation sent before settlement, which is why most small businesses route customers to an e-signed form instead.

Whatever the channel, the test your form must pass is reproduction: when the RDFI asks your bank for proof of authorization, you typically have ten banking days to produce the record. A PDF with the signed consent, the timestamp, and the schedule settles most disputes before they become returns.

How do you set up ACH authorization step by step?

Collect the form, validate the account, store the record, notify before variable debits, and monitor returns. Five steps, and each one maps to a rule: clear consent terms, the WEB account-validation requirement, the two-year retention rule, the pre-debit notice for changed amounts, and the 2026 fraud-monitoring obligation.
The five-step ACH authorization workflow: collect the form, validate the account before the first debit, store the consent record, send notice before variable debits, and monitor return codes
The five-step ACH enrollment workflow that keeps debits compliant from consent to monitoring.

Step one is the form itself, with all six elements from the table above and consent language the customer can actually read. Plain language is not a courtesy here, it is the rule's standard.

Step two is validation. Confirm the account exists and the customer controls it before the first debit, using micro-deposits or an instant verification service. This satisfies the WEB debit rule and quietly screens out typos that would bounce as R03 or R04 returns.

Step three is storage. Keep the signed form, the consent text version, and the authentication data encrypted and access-controlled. Step four is notice: for variable amounts, send the amount and date ahead of the debit. Step five is monitoring, which since June 2026 is not optional: review your return codes monthly and investigate anomalies, and write down that you do.

Which return codes should your authorization form prevent?

The authorization-related returns are R05, R07, R10, R11, and R29. R10 means the customer says they never authorized the debit, R11 means they authorized it but the debit does not match the terms, R07 means the authorization was revoked, R05 flags a consumer debit sent with a corporate code, and R29 is the business-account equivalent of R10. A precise form with matching billing behavior prevents most of them.
CodeWhat the bank is telling youThe form fix
R01Insufficient fundsOffer date choice or split payments in the schedule clause
R05 / R29Unauthorized debit, consumer / business accountGet the right signer: an officer for business accounts
R07Authorization revokedHonor revocations fast and confirm them in writing
R10Customer says no authorization existsReproducible consent record with timestamp and terms
R11Debit does not match the authorization termsBill exactly what the form says; send notice before changes

Return rates are not cosmetic. Nacha caps the unauthorized return rate at 0.5 percent, the administrative rate at 3 percent, and the overall rate at 15 percent, and an originator who breaches them ends up in a remediation conversation between the banks. The cheapest way to stay far from the thresholds is a form whose terms match the debits to the penny and the day.

R11 is worth a special note since the 2020 rule split it from R10: a customer who agrees they authorized you but disputes the amount or date now returns under R11, and you are allowed to correct and re-present the entry. Your response playbook should treat the two codes differently.

How long do you need to keep ACH authorization records?

At least two years after the authorization is terminated or revoked, under the Nacha Operating Rules. For a recurring debit that ran for three years, that means the form and its authentication trail must survive for five. Most businesses keep them longer, encrypted and access-logged, because the record is also their defense in any later dispute.

Retention has a quality dimension as well: what you keep must be a copy of the actual consent, not a reconstruction. If the consent text changes, version it, so you can show which wording a given customer accepted.

When a customer revokes, keep the revocation too, with its date. R07 disputes usually turn on timing, and a logged revocation plus a final-debit record closes the question.

Frequently asked questions

Is an ACH authorization form legally required?

Yes, for debits. The Nacha Operating Rules require authorization before originating an ACH debit, and for consumer accounts the authorization must be in writing or similarly authenticated electronically. Without it, the customer can have the debit returned as unauthorized, and a consumer has 60 days from the statement under Regulation E.

Can I use one form for both one-time and recurring payments?

Yes, with checkboxes that make the choice explicit and separate terms for each. The form must show which option the customer selected, the amount or range, and the schedule. A single vague consent covering "any payments due" is the kind of wording that loses R10 disputes.

How much notice do I need before changing a debit amount?

For consumer debits that vary from the previous amount, send notice of the new amount and date before the debit. Ten days written notice is the common standard, and your authorization should state the method, such as email. Pair it with an easy way to modify or cancel, which prevents R07 and R11 returns.

What is the difference between an ACH authorization and a voided check?

The voided check only proves the routing and account numbers. It is not consent. The authorization form is the legal permission with the terms, schedule, and revocation rights. Many forms ask for a voided check as an accuracy attachment, but the signature on the authorization is what makes a debit lawful.

Does the June 19, 2026 Nacha deadline really apply to small businesses?

Yes. Phase 2 of the fraud-monitoring amendments covers each non-consumer originator regardless of volume, along with third-party senders and service providers. The requirement is risk-based, so a small originator's procedures can be simple: validate new accounts, review returns, watch for anomalies, and document the process. The obligation cannot be ignored just because a processor sits in the middle.

Do I have to use the word PURCHASE or PAYROLL on my entries?

If the entries are covered, yes, since March 20, 2026. WEB debits collecting payment for online purchases of goods must carry PURCHASE in the company entry description, and PPD credits paying wages or salaries must carry PAYROLL. Your processor sets the field, but you are responsible for telling it which transactions qualify.

How do customers cancel an ACH authorization?

By following the revocation terms in the form: typically written notice a stated number of days before the next debit. Customers can also instruct their own bank to stop a specific recurring debit at least three business days before it settles. Honor every revocation and confirm it in writing, because debiting after revocation produces R07 returns and Regulation E liability.

How long can I keep using an authorization I collected years ago?

Until it is revoked or its terms stop matching reality. An authorization is not evergreen: if the amount, schedule, payee name, or bank account changes, collect a new one. A new authorization is also required when a customer gives you a different account, and the first debit to it must be validated again.

Sources and references

  • Nacha, ACH Network Volume and Value Statistics: 33.6 billion payments valued at $86.2 trillion in 2024.
  • Nacha Operating Rules and Guidelines, including the model Authorization for Direct Payment via ACH and the consumer debit authorization requirements.
  • Nacha Risk Management Topics, Fraud Monitoring Phase 1 and Phase 2: risk-based fraud-monitoring requirements effective March 20, 2026 for ODFIs and originators above 6 million 2023 entries, and June 19, 2026 for all remaining originators, third-party senders, and third-party service providers.
  • Nacha Risk Management Topics, Company Entry Descriptions: mandatory PAYROLL and PURCHASE descriptions effective March 20, 2026.
  • Nacha retention requirements for ACH authorizations: minimum two years following termination or revocation.
  • Electronic Signatures in Global and National Commerce Act (E-SIGN), 15 U.S.C. ch. 96, on the validity of electronic consents.
  • Consumer Financial Protection Bureau, Regulation E, 12 C.F.R. Part 1005, on unauthorized electronic fund transfers and the 60-day dispute window.
Consent that survives a dispute Draft an ACH authorization that banks accept. AI Lawyer builds your debit or credit authorization from a few questions, with the revocation clause, variable-amount notice, and record-keeping language the 2026 rules expect. Free to start, no credit card required. Start free with AI Lawyer →
AI Lawyer drafting an ACH authorization form