Skip to main content
Version: v1

ACH Consent

ACH (Automated Clearing House) consent is a legal authorization provided by a customer that permits electronic debits from their bank account. This consent is required by NACHA (National Automated Clearing House Association) regulations before initiating any ACH transaction.

Consent is mandatory for all ACH payments involving:

  • Saved payment methods (walletpaymentmethodId)
  • One-time payments without storing the payment method
  • IVR (Interactive Voice Response) payments
  • Any payment transaction using a Bank Account as the payment method

Important: Without valid consent, any payment transaction using a Bank Account payment method cannot and should not be processed.

Payment TypeConsent RequiredNotes
Bank Account (ACH)YesFull consent object required
Credit/Debit CardNoConsent not required for card payments
Saved Bank AccountYesConsent must be associated with stored payment method
IVR Bank AccountYesSpecific TEL consent type required
Show Consent Object JSON Schema
"consent": {
  "merchantConsentId": "string",
  "merchantConsentText": "string",
  "collectionTimestamp": "string",
  "collectionDetails": {
    "type": "WEB",
    "web": {
      "ipAddress": "string",
      "userAgent": "string"
    },
    "tel": {
      "inboundPhoneNumber": {
        "countryCode": "string",
        "number": "string"
      }
    }
  }
}

Key Components:

  • merchantConsentText: The actual text of the consent agreement shown to the customer.

    • Example: "I authorize [Company Name] to electronically debit my account for the amount due."

  • merchantConsentId: A unique identifier that references a consent agreement stored by the merchant.

    • Note: merchantConsentText and merchantConsentId are mutually exclusive. The API prioritizes merchantConsentId since the primary responsibility for consent collection rests with the merchant.

  • collectionTimestamp: The timestamp indicating precisely when consent was collected from the customer.

    • Must be in ISO-8601 format (e.g., "2025-07-21T14:30:00Z")

  • collectionDetails: Contains information about how the consent was collected

    • type: Specifies the consent collection method (WEB, TEL, PPD)
    • web: Web-specific collection details (required when type is WEB)
    • tel: Telephonic collection details (required when type is TEL)

NACHA regulations require specific consent collection methods for different ACH transaction types. The following types are specified in the collectionDetails.type field and are mutually exclusive:

1. WEB - Online/Digital Consent

  • Definition: Consent collected electronically via website or mobile application
  • Required Fields:
    • collectionDetails.web.ipAddress: Customer's IP address at time of consent
    • collectionDetails.web.userAgent: Browser/device information at time of consent
  • Use Cases: Self-service payments, online bill pay, recurring payment setup
  • Example: Customer agrees to ACH terms by checking a box on the payment page

2. TEL - Telephonic Consent

  • Definition: Verbal consent provided over the phone
  • Required Fields:
    • collectionDetails.tel.inboundPhoneNumber: Contains country code and phone number
  • Use Cases:
    • IVR (Interactive Voice Response) payments
    • Agent-assisted payments where customer is on the call
  • Best Practice: While not mandatory, recording the call reference ID is recommended

3. PPD - Physical/Paper Consent

  • Definition: Consent collected via physical signed document
  • Required Components:
    • collectionDetails.ppd: Contains information about the paper document and processing agent
  • Use Case: Customer provides a signed paper authorization form

Validation and Error Handling

The payment processing system enforces strict consent validation:

  1. Mandatory Requirement: No ACH payment can proceed without a valid consent object
  2. Validation Logic:
    • Either merchantConsentText or merchantConsentId must be present (mutually exclusive)
    • collectionTimestamp must be included and must be a valid ISO-8601 timestamp
    • collectionDetails.type must be one of the supported values (WEB, TEL, PPD)
    • Type-specific fields must be present:
      • For WEB: collectionDetails.web.ipAddress and collectionDetails.web.userAgent
      • For TEL: collectionDetails.tel.inboundPhoneNumber with valid country code and number

Security and Compliance Considerations

  • Consent records should be retained according to NACHA retention requirements (generally 2 years)
  • Sensitive consent information should be properly encrypted in transit and at rest
  • Audit trails should track consent collection and usage throughout the payment lifecycle
WEB Consent

Example 1: WEB Consent with Merchant Text

{
  "consent": {
    "merchantConsentText": "I authorize ACME Healthcare to debit my account for the amount specified and understand this authorization will remain in effect until I cancel it in writing.",
    "collectionTimestamp": "2025-07-21T10:15:30Z",
    "collectionDetails": {
      "type": "WEB",
      "web": {
        "ipAddress": "192.168.1.100",
        "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"
      }
    }
  }
}
TEL Consent
{
  "consent": {
    "merchantConsentId": "CONSENT-12345-ABCDE",
    "collectionTimestamp": "2025-07-21T14:22:18Z",
    "collectionDetails": {
      "type": "TEL",
      "tel": {
        "inboundPhoneNumber": {
          "countryCode": "1",
          "number": "5551234567"
        }
      }
    }
  }
}
PPD Consent
{
  "consent": {
    "merchantConsentId": "CONSENT-67890-FGHIJ",
    "collectionTimestamp": "2025-07-20T09:45:00Z",
    "collectionDetails": {
      "type": "PPD"
    }
  }
}