Web debit account validation rule: how to be compliant?

web debit account validation rule

Last modified on March 19th, 2024

Before 2021, it was almost impossible for US businesses to validate the web debit accounts of customers or third parties. Organizations were merciless at the hands of fraudsters, leading to vast exploitation. In fact, non-cash payment fraud in the US grew by almost 40% between 2010 and 2015. Fortunately, regulators reacted accordingly and created the web debit account validation rule. Learn more about the rule change and requirements!

Trustpair provides automated account validation and helps you prevent fraud and be compliant. Request a demo to learn more.

New call-to-action

What are the requirements for the web debit account validation rule?

To understand the web debit account validation rules, it’s important to first contextualize the issue, in terms of payments in the US.

Year-on-year growth for the number of payments made through the ACH network sat at 8.2% between 2019 and 2020, and this higher volume of transactions has also correlated with higher total dollar values. It’s clear that in the US, both companies and consumers alike have grown fond of the convenience of the network.

However, this huge growth in popularity has also attracted vendor payment fraud. In the same year, for example, US businesses lost over $1.8 billion to fraud.

Electronic payments are overseen by the National Automated Clearing House Association (NACHA). Nacha is a body responsible for implementing regulatory requirements and preventing payment fraud. So, in 2021 (and in response to the abundance of fraud attempts), NACHA brought in a new regulation: web account validation.

The web debit account validation rule states that payment originators must implement a “commercially viable” method to determine that the account number of their debit payee is valid.

Let’s break that down:

Within the NACHA electronic payments network, those who initiate payments are known as payment originators, while accounts that are paid into are known as recipients.

This rule applies to the originators. It means that organizations must verify that those who want to make a purchase have a legitimate and open account at a financial institution in order to pay.

Of course, the primary purpose of this rule is to protect financial institutions (and service providers) from the risk of fraudsters. For example, it would no longer be possible for fake organizations to make up an account or routing number, make a product order, and then get away with the product, leaving the supplier without payment.

Components of the NACHA requirements

There are two main components of the web account validation regulation:

  1. Originators are required to implement a commercially viable method of fraud detection
  2. Receivers (RDFIs) must be able to scale up and manage an increase in notifications. With the validation rule, it’s likely that whichever method originators choose, receivers will need to react in a timely manner in order to help authenticate their account holders. Examples of two such notifications to grow include microtransactions and prenotifications, both of which are explained in the next section


How to comply with the rule?

The ruling is famously neutral in its compliance requirements, which means that it’s down to companies to choose the right method for them. As long as the web debits undergo a “commercially viable” method of fraud detection, it’s likely to fit the requirements.

Here are three possible solutions for compliance:

  1. ACH prenotes
  2. Trial deposits
  3. Vendor and customer databases

Businesses with thousands of third parties would waste both time and money in order to continuously verify and monitor manually. Therefore, manual compliance is virtually impossible.

ACH prenotes

ACH prenotes are zero-dollar transactions that can be sent to a third party in order to validate their account. Even though the transaction is worth nothing, financial institutions are still required to treat it like a normal purchase, which means that the originator can confirm whether or not the third-party account is valid.

Trial deposits

Trial deposits work through multiple micro-payments, where the recipient must verify the amounts with the originator.

For example, a business could make a $0.03 deposit, followed by an additional $0.12 deposit into their supplier’s account, and then call the supplier to ask what the amounts received were. By confirming the amounts, the recipient is able to prove their account is open and valid, and the originator can prove their NACHA compliance.

Vendor and customer databases

Vendor and customer databases enable businesses not only to collect the right information about their third parties, but also verify it against external information sources. Tons of information categories can be collected and validated, including:

  • Account name (either business name or individual)
  • Account number
  • ABA routing number
  • Bank branch address

By collecting and validating this information upfront, companies benefit from maximum oversight of third-party details and can always refer back to the database before making or requesting any payments. This is one of the most effective ways to validate web debit accounts.

But it’s the ongoing maintenance of third-party databases that becomes the real kicker for fraud prevention. With thousands of third parties, at least one is likely to be updating internal systems or changing its financial accounts at any time. It becomes a lot for organizations to keep up with, not only for compliance purposes but broader business management too.

That’s where an automated validation solution like Trustpair can help. Trustpair provides ongoing account validation and monitoring across all third parties. This prevents after-the-fact fraud transaction detection because it works on an automatic basis and in real-time.

Benefit from payment fraud prevention and compliance with the web debit account validation rule. Not only working for each payment entry on the ACH networkbut also for international electronic payments. Learn more about ACH payments in this article.


Who do NACHA requirements apply to?

Any business that wants to debit a new third-party bank account must comply with this rule. This is true for customer accounts, as well as B2B transactions for supply chain fulfillment. Of course, it’s the business’s choice between any of the reasonable validation methods on offer.

Just like other regulatory requirements, non-compliance isn’t an option. While the regulators did give a one-year grace period from the initial implementation of the regulation if ACH originators could prove their attempt to comply. Either way, this expired in March 2022 so the rule is now in full force. Therefore, expect fines and other penalties as a consequence of non-compliance.

To sum it up…

The NACHA web debit rule asks payment originators (businesses) to validate the debit account of a third party through any commercially reasonable method. This framework should sit as part of the business’ fraud detection system, preventing fraudulent payment entries. Trustpair is a good resource for payment protection and compliance to the requirements.


Trustpair does provide account verification for third parties, complying with the NACHA account validation rule.

We check account and bank details (bank account numbers, company ID, etc), alongside other company details against robust external and international databases (for extra details like IBAN validation). This ensures that all information is correct. Because it works in real time, we can automatically block any payment request to a suspicious or unknown third party before any money leaves your account. We also guarantee compliance with the main international regulations.

The bank validation rule exists for fraudulent transaction detection purposes from a web debit account. NACHA payments have grown hugely popular over the past few years, and will likely continue to grow.
So, payment originators must verify that the person or company they intend to debit has an open and valid account, under regulatory compliance. This acts as an ‘attempted fraud’ transaction detection system, protecting businesses.

The ACH 60-day rule provides an equal level of protection for the customer. If a customer is looking over the entries on their bank statement and finds an unauthorized transaction, they have 60 days to write to their bank and request a refund. As long as the bank receives this request within 60 days, they must return the customer’s money without question.

Manage the risks related to corporate treasury.

Receive our latest news

Subscribe to the Trustpair Newsletter and receive advice every week…
Thanks ! Your subscription to the Trustpair newsletter has been taken into account.

        By clicking on “Subscribe”, you agree to receive the Trustpair newsletter to be informed of news or important information about our services. By subscribing, you agree to our Privacy Policy.

Related Articles