Once you have access to the ACH scheme, authorization is required from your customer before you can begin taking payments.
What is an ACH debit authorization?
An ACH debit authorization is consent given by a customer for a business to collect future payments from them. Before a business can begin collecting ACH debit payments from a customer, they must receive an ACH debit authorization from them.
There’s no standardized format for an ACH authorization form, but each one requires a set of mandatory elements. At a minimum, the form must:
Request permission for all future debits, allowing a business to collect varying amounts from their customers
Collect the necessary banking details to submit payments through the ACH network
Explain to the customer how they can revoke their authorization, including the required notice period (which minimizes the chances of a misunderstanding)
The necessary banking details to collect include:
Payer’s email address (for online transactions)
The account to be debited:
Checking or Savings account
Not to be exceeded amount (for recurring payments)
Frequency (for recurring payments)
Start date (for recurring payments)
How to set up an ACH debit authorization
Your customers can complete an ACH authorization form in one of three ways:
By paper - Customers can complete paper authorization forms and return them to you. Paper authorizations are for PPD debits.
Over the phone - You can take your customer’s details over the phone, but must provide additional information when taking these details (more on this below). Telephone authorizations are for TEL debits.
Online - Your customer can give authorization online. Online authorizations are for WEB debits.
As noted above, ACH authorization forms don’t have a standard format or layout, but must contain several key elements. Once a customer has returned a completed paper authorization form to you, you’ll need to:
Give them a copy of it
Retain the original form as proof of authorization (until two years after the authorization has been terminated)
Paper forms lead to greater chance of human error, so it’s worth using prenotifications to check the customer’s provided bank details are valid before submitting a payment request (more on prenotifications here).
Before you begin taking ACH debit authorization over the phone, be aware that you may only do this when:
You have an existing relationship with the customer, or
The customer initiated the call
In this context, an existing relationship means either having a written agreement in place, or the customer has purchased goods or services from you in the last two years. This means you cannot take phone authorizations by "cold calling".
Both one-off and recurring payments can be authorized over the phone, but there are different requirements for each.
For one-off payments: You need to keep a record of each authorization you collect by phone. It can either be an audio recording or by sending written notice of the authorization prior to a final verbal confirmation. You must keep this recording, or proof that you sent the notice, for two years after the agreement has been terminated.
For recurring authorizations: You must send the customer written confirmation, in addition to verbal authorization, which should again be done via audio recording. It must have clear and understandable terms, and be readily identifiable as an authorization.
The script you use to obtain authorization must include:
The date of debit
The amount (or alternatively, the method of determining the amount)
Payer’s contact number
The account to be debited:
Checking or Savings account
Date of authorization
A statement that the authorization is for a Single Entry ACH debit (for one-off payments)
The amount of the recurring transactions (or a reference to the method of determining the amounts of recurring transactions) (for recurring payments)
The timing of transactions (for recurring payments):
Online ACH debit authorization uses digital authorization forms hosted on the internet. As with their paper counterpart, online authorization forms don’t have a standard format or layout, but must contain several key elements (noted above).
Similar to paper-based authorizations, when a customer submits a completed online ACH authorization form, you must send them written notice of the authorization. This may be done via email.
Every business making use of online authorizations is required to undergo an annual security audit, unless submitting through a TPPP. This audit is to ensure adequate:
Physical security - To protect against theft, tampering, or damage
Personnel and access controls - To protect against unauthorized access and use
Network security - To ensure secure capture, storage, and distribution
Managing your ACH debit authorizations
After an authorization is complete, you can then manage it outside of the ACH network. Customers will need to contact you directly to cancel an authorization, after which you must:
Action the cancellation immediately
Ensure no further payments are taken from the customer
Remember - full details of how to cancel an authorization, along with the required notice period, must be provided on the original authorization form.
And if a customer has provided a single-use authorization, you won’t be able to reuse it if they want to set up a recurring payment again. In these instances, you’ll need to issue a new authorization.
Using GoCardless for ACH debit authorizations
If you use GoCardless as your TPPP, setting up and managing ACH debit authorizations is easy, with:
Bank-approved, fully compliant online authorization forms for your customers
Notification of authorization automatically sent to your customers before any payments are taken
Online authorization proofs stored for you
You can find out more about collecting ACH debit with GoCardless in Chapter 4.