ACH Origination Customer Education & Best Practices

As an ACH Originator, your company plays an important role in helping ensure ACH transactions are processed securely, accurately, and in accordance with applicable NACHA Operating Rules.

Lakeside Bank provides this information annually to help our ACH Originating customers stay informed of ACH responsibilities, fraud risks, security expectations, and available resources.

This page is intended for educational purposes and should be shared with any employees within your organization who access Cash Management Online Banking or originate, approve, review, or manage ACH activity.

ACH Origination Fraud Awareness

ACH origination fraud can occur when unauthorized parties gain access to a company’s systems or credentials and initiate invalid ACH transactions. This may include compromised user IDs or passwords, malware, phishing, spoofing, or other social‑engineering attempts.

Spoofing occurs when a fraudster sends an email that appears to come from a legitimate sender, such as a known vendor, customer, or internal contact. In many cases, the email address looks nearly identical to the real address, or the vendor’s email account has been compromised.

One of the most common forms of ACH fraud involves fraudulent or incorrect ACH instructions received via email from a known vendor or receiver. These messages often request “updated” instructions and are designed to look legitimate, but direct payments to an account controlled by the fraudster.

To help prevent ACH fraud, customers should always independently verify any new or changed ACH instructions using a known, trusted contact method (such as calling a verified phone number on file for the receiver), rather than relying solely on email communications.

Lakeside Bank will never ask for your Cash Management password, PIN, token code, or other secure authentication credentials.

ACH Originators should take steps to protect systems and credentials, including:

• Keeping computers and systems updated and patched
• Using antivirus, anti‑malware, firewall, and spam protection
• Restricting access to authorized employees only
• Never sharing user IDs or passwords
• Removing access for former employees
• Reviewing account activity daily
• Notifying Lakeside Bank immediately of suspicious activity

Internal Controls & Dual Approval

Lakeside Bank strongly encourages ACH Originators to implement strong internal controls, including separation of duties and dual approval, whenever possible.

A common best practice is for one individual to prepare ACH transactions while a second, authorized individual independently reviews and approves them before release. This dual‑control process provides an important safeguard against unauthorized transactions, errors, and misuse.

ACH Originator Responsibilities

ACH Originators are responsible for ensuring transactions are properly authorized, accurate, and compliant.

Responsibilities include:

• Maintaining proper authorization from Receivers
• Providing proof of authorization upon request within 10 calendar days
• Ensuring sufficient funds are available
• Using only approved SEC codes
• Reviewing ACH returns and Notifications of Change
• Retaining ACH authorization records securely
• Monitoring return activity
• Ensuring compliance with U.S. law

NACHA Rules & Updates

ACH Originators are required to comply with the NACHA Operating Rules, which govern the origination, processing, and settlement of ACH transactions.

NACHA periodically updates its rules to address fraud trends, risk‑management practices, and operational requirements. Originators are encouraged to review NACHA rule updates annually and ensure their ACH processes remain compliant.

Helpful NACHA resources include:

• https://www.nacha.org/content/ach
• http://www.achrulesonline.org

If you have questions about how NACHA rule changes may impact your ACH activity, please contact Lakeside Bank’s Treasury Management team.

ACH Returns

ACH returns occur when transactions cannot be posted. Originators must review returns promptly and take appropriate action.

Unauthorized return activity should be monitored closely and kept within NACHA thresholds.

Notifications of Change

A Notification of Change (NOC) is sent when ACH transaction information, such as an account number or routing number, is outdated or incorrect.

When an NOC is received, the Originator must update the information promptly and before initiating the next ACH transaction. Timely handling of NOCs helps prevent returns, processing delays, and potential compliance issues.

SEC Codes

A Standard Entry Class (SEC) code is a required three‑character code used in ACH transactions to identify the type of payment being initiated. Using the correct SEC code is important for proper processing and helps reduce the risk of returns or delays.

The most commonly used and approved SEC codes through Lakeside Bank’s ACH Origination services include:

• PPD (Prearranged Payment and Deposit) — Used for business‑to‑consumer ACH transactions, such as payroll direct deposit or other payments to individuals. Written authorization should be retained when debiting a consumer’s account.
• CCD (Corporate Credit or Debit) — Used for business‑to‑business ACH transactions, including payments or collections between companies. Authorizations are typically handled through contractual agreements between businesses.

ACH transactions must use the appropriate SEC code based on the receiver type. Consumer and business transactions cannot be combined within the same ACH batch.

If you have questions about which SEC code applies to your ACH activity, or if you need to initiate a different type of ACH transaction, please contact the bank before submitting the transaction.

Suspicious Activity

Contact Lakeside Bank immediately if you notice:

• Unauthorized transactions
• Suspicious login activity
• Credential compromise
• Security incidentsTreasury Management Department
  [email protected]
  (312) 435-1639