OnComply
Back to Blog
ComplianceMarch 8, 2026·4 min read

ACH Authorization: What You Need to Collect from Every Vendor

A practical guide to collecting, validating, and storing ACH authorization from vendors — including what the authorization must legally contain.

Paying vendors via ACH is faster, cheaper, and easier to reconcile than paper checks. But collecting the banking information correctly — and storing it securely — requires more care than most companies give it.

This guide covers what a valid ACH authorization must contain, how to collect it correctly, and how to handle the data once you have it.

Why Proper ACH Authorization Matters

A vendor payment made without proper authorization is a liability. If a vendor later claims they did not authorize the transfer, or if their banking information was compromised and payments went to the wrong account, you need documentation that shows:

  1. The vendor explicitly authorized you to debit or credit their specific account
  2. The authorization was obtained at a specific time by a specific person
  3. The authorization covers the specific type of transactions you are making

NACHA — the organization that governs the ACH network — requires written or electronic authorization for all ACH transactions. The authorization must be provided before the first transaction, and it must be retained for as long as the authorization is in place plus two years.

What Every ACH Authorization Must Include

A legally sufficient ACH authorization form must contain:

Account holder name. The legal name on the bank account, which may differ from the vendor's business name.

Routing number. The nine-digit ABA routing number identifying the bank. Verify the routing number with a checksum — NACHA's routing number validation algorithm catches the majority of transcription errors.

Account number. The account number at the specified bank. Confirm it once.

Account type. Checking, savings, or business checking. The account type affects how the ACH transaction is formatted.

Authorization language. The authorization text must explicitly state that the account holder is authorizing the company to initiate ACH credits or debits. The standard language: "I authorize [Company Name] to initiate ACH credit/debit transactions to/from the bank account listed above."

Signature and date. The authorization is not valid without a signature from someone with authority over the bank account. For business accounts, this should be an authorized signer on the account.

Company information. Your company name should appear in the authorization so there is no ambiguity about who is authorized to initiate transactions.

Electronic ACH Authorization

NACHA permits electronic authorization as long as the method used to obtain the authorization is compliant. A web-based ACH authorization form is compliant if it:

  • Clearly states the authorization language before the signature is obtained
  • Captures a verifiable signature (a typed name with a certification checkbox, or a drawn signature)
  • Records the IP address, timestamp, and user session at the time of signing
  • Sends a copy of the authorization to the account holder at the email address provided

Electronic authorization is acceptable in court and in NACHA audits when properly documented.

Optional: Voided Check

Some companies require a voided check in addition to the authorization form. A voided check provides independent verification of the routing and account numbers. This is particularly valuable for high-value vendor relationships where a payment fraud or transcription error would be costly.

A voided check photograph (JPG or PNG) is sufficient for most purposes. The check should be clearly legible with the routing number and account number visible.

How to Store ACH Data Securely

ACH data is sensitive by any standard — it contains bank account numbers that can be used to initiate fraudulent transfers. Storage requirements:

Encrypt at rest. ACH records must be encrypted in storage. AES-256 is the appropriate standard. Storing account numbers in a spreadsheet or unencrypted database is not acceptable.

Restrict access. Only team members who need ACH data to perform their job should be able to access it. This typically means finance team members with an operational need — not the full company or anyone with database access.

Access logging. Every access to ACH data should be logged with the accessing user, the time, and the reason. This is both a compliance practice and a fraud prevention measure.

Masking for display. When ACH data is displayed in a UI, show only the last four digits of the routing number and account number. Full account details should require a second authentication step to view.

What to Do When Banking Information Changes

When a vendor changes their bank account, you need a new authorization form before initiating any transactions to the new account. An old authorization does not cover a new account number.

Make vendor banking information changes part of your formal change management process: new authorization collected, verified, and approved before the AP system is updated.

Document every change with a timestamp and the identity of the person who made the update. Bank account changes are a common vector for payment fraud — whether from an external attacker who has compromised the vendor's email or an insider at the vendor.

All posts
Start Free TrialBook Demo
W-9 CollectionCOI TrackingACH AuthorizationDocument Fill & SignAutomated ValidationRenewal RemindersCan-Work / Can-Pay ControlsVendor PortalCompliance DashboardWebhook IntegrationsEligibility APIAudit-Ready ExportsLicense TrackingGrace Period ManagementCustom FormsW-9 CollectionCOI TrackingACH AuthorizationDocument Fill & SignAutomated ValidationRenewal RemindersCan-Work / Can-Pay ControlsVendor PortalCompliance DashboardWebhook IntegrationsEligibility APIAudit-Ready ExportsLicense TrackingGrace Period ManagementCustom Forms