NACHA-compliant mandate capture

ACH payment authorization form — captured, stored, enforced per NACHA rules.

Every ACH debit needs a valid mandate. topropay's hosted authorization form, embedded fields and PDF / e-signature paths all produce the same mandate ID — carried on every debit, retained for the life of the relationship, defensible in disputes.

NACHA-compliant
Mandate copy meets NACHA authorization requirements
Hosted or embedded
Drop-in URL, iframe fields or PDF / e-signature capture
Stored forever
Mandate + evidence retained per scheme rules for the life of the debit relationship

Key benefits

Why the ach payment authorization side matters as much as the debit

Four properties that separate a real NACHA-compliant mandate flow from a hand-rolled form-plus-CSV workflow.

One form, every ACH type

The same authorization form template covers one-off debits (WEB, TEL), business debits (CCD), consumer standing debits (PPD) and recurring debits (WEB / PPD recurring). The merchant doesn't fork the form per SEC code — the platform selects the right code at debit time.

Hosted, embedded or PDF / e-sign

Send the customer a hosted authorization link, embed the form in a portal via hosted iframe fields, or accept a signed PDF captured with an e-signature provider. All three produce the same mandate ID the debit engine uses.

Mandate ID travels with every debit

Every ACH debit carries the authorization mandate ID plus the SEC code, capture timestamp, IP and consent-language version. That evidence pack ships automatically with the debit — and is retained for the required period per NACHA rules.

Recurring runs on the same mandate

One recurring ach payment authorization form authorises the whole billing series. The recurring engine references the mandate on every scheduled debit; the customer isn't asked to re-authorise every renewal.

How the recurring ach payment authorization form runs end-to-end

From link-send to reconciled debit in five steps

What happens between the merchant sending the authorization link and the debit landing in reconciliation — with mandate evidence attached at every hop.

  1. 01

    Send the authorization link

    Merchant creates a hosted authorization form via API or dashboard. topropay returns a per-customer URL with the merchant's brand and the debit terms pre-filled.

  2. 02

    Customer fills routing / account

    Customer opens the link, enters routing number and account number, checks the consent box and (for higher-risk merchants) completes micro-deposit or Plaid-style bank verification.

  3. 03

    Mandate stored, ID returned

    topropay stores the mandate, consent language version, timestamp, IP and evidence pack. A mandate ID returns to the merchant's back-end via webhook — recorded alongside the customer record.

  4. 04

    Debit against the mandate

    The merchant triggers debits (one-off or scheduled) against the mandate ID. The ACH debit engine builds the correct SEC-code entry, carries the mandate reference and submits through the partner ACH processor.

  5. 05

    Return handling & retries

    R-code-aware retries handle NSF / R01 / R03 / R04 returns per the merchant's policy. Mandate-terminating returns (R07 revoke, R08 stop) auto-flag the mandate as revoked and stop future debits.

Main use cases

Where a recurring payment authorization form pays for itself

Five recurring merchant shapes where ACH mandate capture drives real cost or approval wins over card-recurring.

  • SaaS

    US SaaS on ACH recurring

    US SaaS merchants substitute ACH recurring for card for large-ticket enterprise plans — lower interchange, longer settlement, no card expiry. One authorization form captured at contract; recurring debits on the monthly cycle.

  • B2B

    B2B ACH on NET terms

    Wholesale and trade sellers capture a CCD authorization at customer onboarding; debits fire on NET-30 / NET-60 as invoices come due. The mandate carries invoice references in the addenda.

  • Serv

    Service businesses & memberships

    Gyms, tutoring, subscription boxes, insurance premiums — the recurring payment authorization form runs monthly / annual debits on the same mandate for the life of the customer relationship.

  • Util

    Utility-style regular debits

    Bill-pay style merchants capturing monthly variable-amount debits — the authorization allows a variable range with customer notification per NACHA rules.

  • Lend

    Lending & consumer finance

    Licensed consumer lenders capturing standing debit authorisations for loan repayments — with mandate revocation on payoff and audit-grade evidence retention.

Platform features

Fields captured on the sample ach payment authorization form

The default form template captures every field NACHA requires plus the metadata that makes disputes defensible. Every field is merchant-configurable if the wording needs to match a specific customer-experience style.

  1. 01

    Customer legal name

    As it appears on the bank account being debited.

  2. 02

    Routing (ABA) number

    9-digit US bank routing; format-validated on entry.

  3. 03

    Account number

    Bank account number for the debit; validated against issuer BIN where possible.

  4. 04

    Account type

    Checking or savings — some SEC codes are restricted per account type.

  5. 05

    Debit amount / range

    Fixed amount for one-off; amount range for variable recurring.

  6. 06

    Debit frequency

    One-time, weekly, monthly, annual or on-invoice.

  7. 07

    Consent language

    NACHA-compliant authorization copy — versioned and stored per capture.

  8. 08

    E-signature or checkbox consent

    Depending on merchant preference — both produce a valid mandate under WEB / TEL SEC codes.

Industry relevance

Free ach payment authorization form templates vs a platform-managed mandate

A downloadable "free ach payment authorization form" PDF template can capture the legal consent — but produces no mandate ID, no evidence retention, no R-code-aware debit engine and no dispute-defence workflow. topropay's ACH-side posture targets licensed US merchants running recurring billing (SaaS, service businesses, B2B, lending, utility-style variable amounts) who need the whole loop under one roof rather than a PDF plus a spreadsheet.

  • SaaS on ACH recurring
  • B2B billing on CCD
  • Memberships & subscription boxes
  • Utility-style variable amounts
  • Licensed consumer lending
  • Professional services on invoice
  • Unlicensed lending · out of scope
  • Grey-market debits · out of scope

Trust & compliance

Compliance posture for ach payment authorization on topropay

One audited environment for the orchestration layer; NACHA-compliant mandate copy; evidence retention that survives disputes years after the fact.

NACHA mandate rules
Authorization copy meets NACHA rules for WEB, TEL, PPD and CCD SEC codes; consent language versioned per capture.
PCI DSS Level 1 (card side)
PCI L1 posture covers the wider platform; the ACH-side authorization form doesn't handle PAN data but shares the same audited environment.
Evidence retention
Mandate + consent-language version + capture metadata (timestamp, IP) retained per NACHA requirements for the life of the debit relationship plus 2 years.
R-code handling
R-code-aware processing per NACHA — R07 (customer revoke) and R08 (stop payment) auto-flag mandates as revoked.
Sanctions & AML alignment
Sanctions screening at onboarding; ACH velocity rules per merchant vertical and volume profile.
Licensed verticals only
Licensed gaming, regulated financial services and other compliance-bound verticals supported only where current operating licences exist. Grey and black-market verticals are out of scope.

Ready to capture NACHA-compliant mandates

Bring your ACH authorization flow onto topropay.

A 30-minute review covers the SEC codes relevant to your traffic (WEB, TEL, PPD, CCD), the authorization surface shape (hosted, embedded or PDF), your existing ACH processor relationship, and a sandbox to test against before any commercial commitment.

Frequently asked

Buyer questions about the ach payment authorization form

Definitions, SEC-code mechanics, mandate revocation, evidence retention and the practicalities of running ACH recurring under one platform.

  1. 01

    What is an ach payment authorization form on topropay?

    An ach payment authorization form on topropay is the NACHA-compliant capture surface the platform generates per merchant. It collects the customer's routing and account number plus consent to debit, versions the consent language, and returns a mandate ID the merchant references on every subsequent ACH debit against that customer.

  2. 02

    How does an ach recurring payment authorization form differ from a one-off one?

    An ach recurring payment authorization form authorises a series of debits rather than a single one — typically fixed-amount monthly, or a range for variable-amount monthly (e.g. utility-style billing). The authorization copy explicitly names the frequency and amount range; the mandate then covers every scheduled debit until the customer revokes it.

  3. 03

    What SEC code does a recurring ach payment authorization form fall under?

    A recurring ach payment authorization form typically falls under WEB (internet-initiated) or PPD (prearranged payment / deposit) for consumer accounts, and CCD (corporate credit / debit) for business accounts. topropay picks the correct SEC code at debit time based on the account type and origination channel; the merchant doesn't need to select it manually.

  4. 04

    Is a recurring payment authorization form legally binding?

    Yes — a recurring payment authorization form that meets NACHA rules for WEB, TEL, PPD or CCD is a legally binding standing authorization for debits under those rules. Consumer accounts have additional consumer-protection windows (60-day dispute for unauthorized debits, 15-day for authorised-but-billing-error under WEB/PPD); topropay's mandate storage preserves the evidence needed to defend a disputed debit within those windows.

  5. 05

    What does ach payment authorization mean in practice?

    ach payment authorization in practice means the customer has granted the merchant permission to debit their bank account for a specific amount (or range) at a specific frequency (or on-demand). The authorization must be captured before the first debit; the merchant retains the evidence for the required period; the customer can revoke the authorization at any time and the mandate must then be flagged as revoked.

  6. 06

    Is there a free ach payment authorization form on the platform?

    The 'free ach payment authorization form' framing typically refers to blank template PDFs floating around the web. topropay doesn't offer a downloadable blank template as a standalone product — the value is the mandate-capture flow, mandate ID, evidence retention and debit engine that ride on top. Merchants using the platform get a hosted authorization form as part of their subscription; standalone PDF templates without an underlying mandate engine won't produce a mandate ID or preserve evidence for disputes.

  7. 07

    Can I see a sample ach payment authorization form before signing up?

    Yes — the sales team can share a sample ach payment authorization form during onboarding, showing the platform's default consent language, the branded surface, the mandate-metadata capture, and the merchant-configurable fields. The final form is templated per merchant with their name, contact details and specific debit terms filled in.

  8. 08

    What are the technical hosting options for the form?

    The form ships in three shapes: a hosted URL (per-customer link the merchant sends via email / SMS / portal), embedded hosted-field iframes (the merchant renders the form inline inside their own billing portal), and PDF plus e-signature capture (for merchants whose customers prefer paper-style authorization). All three produce the same mandate ID the debit engine uses.

  9. 09

    How does mandate revocation work?

    Customers can revoke their mandate at any time via the merchant's customer-facing portal, by contacting the merchant, or via their bank's stop-payment mechanism (R07 / R08 return codes). Merchant-side revocation writes back to topropay via API or dashboard and stops future debits; bank-side revocation via R-code auto-flags the mandate as revoked based on the return processing.

  10. 10

    How long is the mandate valid?

    The mandate is valid until the customer revokes it or until the merchant's own policy expires it. NACHA rules require that consumer standing authorisations remain valid until revoked or until the merchant has cancelled the underlying billing relationship; topropay's mandate storage retains the mandate plus consent-language version for the life of the debit relationship plus 2 years for audit / dispute purposes.

  11. 11

    What happens if a debit is disputed?

    If a debit is disputed (via ACH return R05 / R10 / R11 or via consumer-protection window claim), topropay surfaces the dispute in the unified queue with the mandate evidence pack pre-filled: capture timestamp, IP, consent-language version, mandate ID, all prior debits against the mandate. That evidence flows into the return-management workflow with the partner ACH processor.

  12. 12

    Does the platform handle micro-deposit or Plaid-style bank verification?

    Yes — for merchants operating in higher-risk verticals, the authorization form can gate mandate creation on account verification via micro-deposits (2 small deposits + return-count challenge) or via a partner bank-verification integration (Plaid, MX or similar). Verified accounts carry a lower R-code rate at first debit.

  13. 13

    How are variable-amount recurring debits handled?

    Variable-amount recurring debits (utility-style billing) capture an amount range at authorization time and require pre-notification to the customer for each debit that varies from the previous one, per NACHA rules. topropay automates the pre-notification (email or in-portal) and records delivery evidence as part of the debit's audit trail.

  14. 14

    Can I attach the authorization form to my accounting system?

    Yes — the mandate ID plus a copy of the signed authorization (PDF export of the captured form) can be pushed to popular accounting systems (Xero, QuickBooks, NetSuite, Sage) as an attachment on the customer record. The mandate ID also travels with every debit's reconciliation row so finance can trace back to the source authorization.

  15. 15

    Where does ACH connectivity come from on topropay?

    ACH connectivity on topropay is delivered via licensed partner ACH processors (ODFI relationships) in the US. topropay owns the mandate capture, storage and orchestration layer; the partner processor owns the ACH network relationship and the settlement flow. Merchants sit as sub-merchants under the partner's ODFI, or as direct originators where they hold their own ODFI relationship.