Positive pay has been a hot topic lately, leading to many members seeking our advice. So, let’s talk about it.  

First, what is Positive pay? 

Positive pay is a value-added service providing fraud detection or prevention tools for better management of business accounts. Positive pay services can be used to automatically match and approve or deny ACH Entries posting to business accounts.  

With positive pay, clients provide their financial institution with details about what payments are approved for paymentThe details will include the payee/originating company and company identification, SEC codes, transaction types and maximum dollar amounts. The positive pay system will filter or block entries, send an alert to the business and then allow them to approve or deny (or pay or return) the entry. Other types of fraud detection or prevention tools include ACH filters or ACH blocks. 

Where can you find more information about ACH Positive Pay? 

EPCOR can always help with your questions about the Rules and positive pay, but the most valuable resources are going to be your core processor, ACH processor, or other ACH software solutions. These entities, or Third-Party Service Providers (TPSPs), can provide you with details on how the service will work in your current processing environment and what details will be required to begin. 

Managing Risks 

Like any financial offering, there are risks with implementing positive pay. But these risks can be managed. 


Ensure a binding agreement to the ACH positive pay service is obtainedThis is not the ODFI/Origination agreement that addresses origination services but a services agreement detailing what is required of the business, including: 

  • How and when information will be securely passed between the client and the financial institution 

  • Deadlines to make processing decisions 

  • Responsibilities of the financial institution 

  • Reporting details and other responsibilities of each party. 

Remember to seek legal counsel on any service agreements. 


ACH positive pay systems automatically use Return Reason Code R29 – Corporate Customer Advised as Unauthorized on any ACH entry, regardless of the SEC code. This is usually an automatic system decision without staff handling the Return Entry. 

EPCOR often receives questions regarding ‘consumer-based’ WEB debit entries that post to non-consumer accounts being returned as R29, which does not necessarily align with the RulesIn this scenario, a Written Statement of Unauthorized Debit (WSUD) is not needed for corporate, non-consumer accounts because the positive pay agreement has been obtained.  

However, on the other hand, if staff choose to interrupt the automated process by manually returning a WEB Entry, TEL or PPD, as R10 – Customer Advises Originator is Not Known by Receiver/Originator is Not Authorized by Receiver to Debit Receiver’s Account, then a WSUD would be required based on Section 3.12 – Written Statement of Unauthorized Debit. 

For more information, refer to Operating Guidelines Chapter 29 on page OG 132, Reversals, Debit Block and Corporate Accounts. 

Republished with permission from EPCOR