AAP logo
Focused certification exam prep
Start practice
Home / Study Resources / Core Study Guides / ACH Unauthorized Entry: AAP Exam Rules and

ACH Unauthorized Entry: AAP Exam Rules and Remedies

Updated 10 min read AAP Exam Prep
Table of Contents
TL;DR
  • Unauthorized entries are governed by specific Nacha return codes, timeframes, and warranty provisions tested heavily in AAP Domain 2.
  • The ODFI gives a warranty that each debit entry is authorized; violating that warranty creates direct liability.
  • Return timeframes differ by entry type-consumer vs. corporate-and confusing them is a classic AAP exam trap.
  • Remedies for unauthorized entries involve both the return process and potential extended return rights under Nacha Rules.

What Is an ACH Unauthorized Entry?

An ACH unauthorized entry is any debit-or, in limited circumstances, a credit-initiated without the valid authorization of the account holder. In the Nacha Operating Rules framework, "unauthorized" is not a casual term. It carries a precise legal meaning that determines which return codes apply, which party bears the loss, and what remedies are available to both financial institutions and consumers.

For AAP candidates, the concept of unauthorized entries sits at the intersection of ACH operations, consumer protection law, and interbank risk-making it one of the most layered topics on the examination. You cannot memorize a single rule and move on. Instead, you need to understand how Nacha Rules interact with Regulation E and the Electronic Fund Transfer Act (EFTA) to produce outcomes that sometimes surprise candidates who only read one source.

An entry may be unauthorized because the originator never obtained authorization, because the authorization was revoked by the receiver before the debit was initiated, or because the transaction exceeded the scope of the authorization that was given. Each scenario triggers different procedural paths, different return codes, and different windows for action.

Why This Topic Dominates the AAP Exam: Unauthorized-entry scenarios require you to apply rules from at least two exam domains simultaneously-Rules and Regulations (Domain 2) and ACH Operations (Domain 1). Questions are rarely straightforward fact recall. They present a scenario and ask which party is liable, which return code applies, or what the correct timeframe is.

Where This Topic Lives in the AAP Exam Domains

The AAP exam is organized into five domains, and unauthorized entries do not belong to just one of them. Understanding how this topic spreads across the domain structure is itself a study strategy.

Domain 1: ACH Operations

This domain covers the mechanical lifecycle of an ACH entry-origination, transmission, settlement, and return. For unauthorized entries, Domain 1 questions focus on the operational steps an RDFI must take when it receives a return request, how return entries are formatted, and what happens at the settlement layer when an entry is reversed or returned.

  • Initiating a return entry for an unauthorized debit
  • Differentiating a return from a reversal
  • Settlement timing for returned items

Domain 2: Rules and Regulations

This is where unauthorized-entry knowledge runs deepest on the exam. Domain 2 tests your command of the Nacha Operating Rules warranty structure, Regulation E consumer protections, and the interplay between federal law and ACH rules. Expect scenario-based questions that require you to apply the correct rule provision to a described fact pattern.

  • ODFI authorization warranty and breach consequences
  • Consumer vs. non-consumer entry distinctions
  • Extended return rights under Nacha Rules
  • Written Statement of Unauthorized Debit (WSUD) requirements

Domain 3: Risk Management

Unauthorized entries are a primary fraud vector in the ACH network. Domain 3 questions explore how financial institutions identify, monitor, and mitigate unauthorized entry risk. This includes monitoring return rate thresholds, originator due diligence, and fraud detection frameworks.

  • Unauthorized return rate thresholds and Nacha enforcement
  • ODFI monitoring obligations for originators
  • Account takeover as a source of unauthorized entries

If you are working with a study group, discussing how a single unauthorized-entry scenario could generate questions across Domain 1, Domain 2, and Domain 3 simultaneously is a high-value exercise. The AAP Study Group Guide: How to Find and Join One offers practical advice on structuring those kinds of cross-domain analysis sessions with peers.

Return Codes, Timeframes, and the Rules Behind Them

Return codes are among the most heavily tested specifics on the AAP exam, and unauthorized entries generate some of the most nuanced return code distinctions. The exam will not simply ask you to name a code-it will describe a scenario and ask you to identify the correct code, or describe a code and ask whether the return is within the allowable timeframe.

The Primary Return Codes

The Nacha Operating Rules assign specific return reason codes to unauthorized entries. The most frequently tested include:

  • R05 - Unauthorized debit to a corporate account using a consumer SEC code (e.g., PPD or TEL used for a business account)
  • R07 - Authorization revoked by the consumer; the receiver previously authorized the entry but has since revoked that authorization
  • R08 - Payment stopped; the receiver has placed a stop payment on the item
  • R10 - Customer advises not authorized; the receiver states the originator did not obtain proper authorization, or the authorization was not in accordance with Nacha Rules
  • R29 - Corporate customer advises not authorized; used for non-consumer accounts

Return Timeframes-Where Candidates Often Slip

The return window differs depending on the return code and the type of account involved. For consumer accounts, the RDFI generally has 60 calendar days from the settlement date of the entry to return an item using R07 or R10 when acting on a Written Statement of Unauthorized Debit. This extended window exists because of Regulation E protections for consumers.

For corporate accounts using R29, the standard return timeframe is significantly shorter-generally tied to the standard return window rather than the extended consumer protection window. Confusing these two windows is one of the most common errors on AAP exam questions about unauthorized entries.

Exam Trap Alert: The AAP exam frequently presents a scenario where the account type is subtly indicated mid-question. A question might describe an entry to "a business checking account" using an R10 return-the correct answer requires knowing R10 applies to consumer accounts and R29 applies to non-consumer accounts. Read every scenario carefully for account type before selecting your answer.

Remedies, Liability, and Who Bears the Loss

Understanding the remedy structure for unauthorized entries requires knowing the warranty system that underpins the entire ACH network. When an ODFI transmits an entry, it warrants to the RDFI and to Nacha that the entry has been properly authorized. This is not a general assurance-it is a specific, enforceable warranty with direct consequences for breach.

The ODFI Authorization Warranty

If a debit entry is unauthorized and is returned to the ODFI, the ODFI cannot simply absorb the return and move on. The ODFI must seek recovery from its originator. If the originator cannot or will not fund the return, the ODFI bears the loss. This is why ODFI due diligence on originators-a Domain 3 topic-connects directly to the Domain 2 warranty rules for unauthorized entries.

The warranty chain flows like this: The receiver reports the entry as unauthorized to the RDFI. The RDFI returns the entry to the ODFI. The ODFI debits the originator. If the originator's account is insufficient or if the originator disputes its liability, the ODFI holds the loss unless it can demonstrate the originator's wrongdoing and pursue recovery through separate legal channels.

Consumer vs. Non-Consumer Remedies

Consumer receivers benefit from Regulation E error resolution protections. This means that beyond the Nacha return process, the RDFI has obligations under federal law to investigate and resolve error claims within specific timeframes. The RDFI must provisionally credit the consumer's account in certain circumstances while the investigation proceeds.

Non-consumer receivers do not have Regulation E protections. Their remedies flow entirely from the Nacha Operating Rules and commercial law, which is why the timeframes are shorter and the process is more limited.

ODFI and RDFI Obligations You Must Know Cold

The AAP exam tests your ability to assign responsibility correctly. A poorly drafted question might make both the ODFI and the RDFI sound like they share equal culpability-your job is to identify who bears which obligation under the Rules.

ODFI Obligations

  • Obtain and retain proper authorization documentation before initiating any debit entry
  • Ensure originators are aware of and comply with Nacha's authorization requirements for each SEC code
  • Monitor originators' unauthorized return rates and take action when thresholds are exceeded
  • Fund returned unauthorized entries and seek recovery from the originator

RDFI Obligations

  • Accept Written Statements of Unauthorized Debit from consumers and initiate returns within the allowable window
  • Retain the WSUD for a specified period after initiating a return
  • Comply with Regulation E error resolution procedures for consumer accounts
  • Avoid wrongful dishonor of legitimate entries while also protecting receivers from unauthorized debits

Key Takeaway

The RDFI does not "approve" an ACH debit before it posts-it receives and posts the entry based on routing and account information. This is why the WSUD process and extended return rights exist: they are the receiver's primary remedy after the fact. AAP candidates who conflate pre-authorization with post-posting return rights will miss scenario-based questions on this topic.

Nacha Rule Provisions Side by Side

The following table compares key unauthorized entry rules for consumer and non-consumer accounts. This kind of side-by-side view is exactly the format you should build into your own notes, because the AAP exam exploits the differences between these columns.

Characteristic Consumer Entry (e.g., PPD, TEL, WEB) Non-Consumer Entry (e.g., CCD, CTX)
Primary return code for "not authorized" R10 R29
Return code for revoked authorization R07 R29 (authorization was never valid or was revoked)
Extended return window 60 calendar days from settlement date Standard return timeframe only
Regulation E applies? Yes No
Written Statement of Unauthorized Debit required? Yes, RDFI must obtain WSUD No WSUD requirement under Nacha Rules
Provisional credit requirement Yes, under Regulation E in certain circumstances No
ODFI warranty breach consequence ODFI liable to RDFI for returned entry amount ODFI liable to RDFI for returned entry amount

Studying this table is useful, but the AAP exam will test application, not memorization. After you learn the rules, practice applying them to scenarios. The AAP practice test platform structures its questions in the same scenario-based format as the actual exam, which helps you move from knowing these facts to using them under pressure.

Building an Unauthorized Entry Study Block Into Your AAP Prep

Because unauthorized entries touch Domain 1, Domain 2, and Domain 3, they deserve their own dedicated study phase rather than being folded into a single domain week. Below is a focused approach for structuring this topic within a broader AAP preparation schedule.

Phase 1

Rules Foundation (Domain 2 Priority)

  • Read the Nacha Operating Rules provisions on authorization requirements by SEC code
  • Map out the ODFI warranty structure and what constitutes a breach
  • Study Regulation E error resolution timelines and how they layer onto Nacha Rules
  • Create a return code reference card: R05, R07, R08, R10, R29
Phase 2

Operational Application (Domain 1 Integration)

  • Trace the lifecycle of an unauthorized debit from posting through return settlement
  • Practice identifying which return code applies in consumer vs. corporate scenarios
  • Work through WSUD procedural steps and RDFI retention requirements
  • Attempt scenario-based practice questions on the AAP practice test site focused on return entries
Phase 3

Risk and Liability Integration (Domain 3 Connections)

  • Review unauthorized return rate thresholds and how Nacha monitors ODFIs
  • Study originator due diligence obligations and how ODFIs document them
  • Practice cross-domain questions that combine a liability scenario (Domain 2) with a monitoring obligation (Domain 3)

One technique worth applying here is teaching the material to someone else-whether a study partner or even just explaining it aloud to yourself. This forces you to identify the gaps in your understanding. Describing why R10 applies to a consumer account but R29 applies to a corporate account, without looking at your notes, is a reliable way to confirm you have internalized the distinction rather than just memorized it. This approach works especially well in a collaborative setting; the AAP Study Group Guide: How to Find and Join One covers how to structure this kind of active recall session with a group.

Practice Question Strategy: When reviewing unauthorized entry practice questions, note which domain the question is testing even when the exam does not label it. If a question describes a scenario and asks for the correct return code, that is Domain 2 knowledge applied through Domain 1 mechanics. Training yourself to see the domain layer behind each question improves your accuracy on the real exam. Use the AAP Exam Prep practice tests to drill this cross-domain awareness repeatedly.

Also revisit the topic of unauthorized entries when you study ACH Unauthorized Entry: AAP Exam Rules and Remedies as part of your final review cycle. Returning to the same topic with fresh eyes-after you have studied the full exam domain structure-often reveals connections you missed the first time through.

Frequently Asked Questions

What is the difference between R10 and R07 on the AAP exam?

R10 is used when the consumer states the originator did not obtain proper authorization at all, or the authorization was not in compliance with Nacha Rules. R07 is used when a valid authorization existed but was subsequently revoked by the receiver before the entry was initiated. The distinction matters because the reason code signals whether authorization was absent from the start or was withdrawn after the fact. AAP questions often hinge on this difference.

Does the RDFI have to verify that an entry is unauthorized before returning it?

For consumer accounts, the RDFI must obtain a Written Statement of Unauthorized Debit from the receiver before initiating an extended-timeframe return. The RDFI is not required to investigate or verify the consumer's claim independently-it acts on the consumer's statement. However, the RDFI retains the WSUD and provides it to the ODFI upon request, which shifts liability back to the originator if the entry was in fact authorized.

How does unauthorized entry monitoring relate to Domain 3 on the AAP exam?

Nacha establishes return rate thresholds for unauthorized entries that ODFIs are required to monitor. If an originator's unauthorized return rate exceeds the applicable threshold, the ODFI must investigate and take corrective action-up to and including terminating the originator's ACH origination agreement. Domain 3 questions test whether candidates understand these monitoring obligations and what triggers ODFI intervention.

Can an unauthorized corporate entry be returned under R10?

No. R10 is designated for consumer accounts. For a non-consumer account where the customer advises the entry was not authorized, R29 is the correct return code. Using R10 for a corporate account would itself be an incorrect return under Nacha Rules. This is a frequent source of errors on the AAP exam and in practice.

Is the ODFI automatically liable any time a debit is returned as unauthorized?

The ODFI is liable to the RDFI for the value of the returned entry when the ODFI's warranty of authorization is breached. However, the ODFI's recourse is against the originator. If the originator can demonstrate that the entry was in fact properly authorized and the receiver's claim is incorrect, the ODFI may have grounds to dispute the return-though this process occurs outside the standard ACH return mechanism and typically involves legal or arbitration channels.

Continue reading:

Ready to pass your AAP exam?

Put this into practice with free AAP questions across every exam domain.