ACH Blocks and Filters: How Businesses Prevent Unauthorized Debits

A fraudster doesn't need to break into your bank to pull money out of it. They just need your account and routing numbers, which sit on every check you've written, every vendor onboarding form, and every tax filing. Once those nine digits are out in the world, anyone who can submit an ACH debit can attempt to take funds from your account.

The numbers behind this aren't small. The 2025 AFP Payments Fraud and Control Survey found that 38% of organizations were hit by ACH debit fraud in 2024, and 79% were hit by some form of payments fraud overall. The ACH network itself processed 35.19 billion transactions in 2025, with B2B volume growing 11.6% year over year. More activity means more opportunity for attacks, but you aren’t powerless to prevent it from happening to your account.

ACH blocks and filters are the bank-level controls that decide which of those debit attempts actually post to your account. They are not glamorous tools, and they will not solve every fraud problem, but they are the most direct way to stop unauthorized debits from settling in the first place. This guide explains what they do, how they differ, how to set them up without breaking legitimate payments, and how the 2026 Nacha fraud monitoring rules are changing the broader compliance picture around ACH risk.

The standard in finance

Slash goes above with better controls, better rewards, and better support for your business.

Get Started

What Are ACH Blocks and Filters?

ACH blocks and filters are two different types of controls that determine how ACH debit entries are handled before money leaves your account. An ACH debit is a transaction where an outside party pulls funds from your account, like when you get that mysterious $2.99 charge from Apple on your statement. Debits are opposed to credits, where money is pushed in from a sender.

The first control is an ACH block, which is the hard line approach. It tells your bank to reject every ACH debit attempt against the account unless there's a separate instruction to allow specific ones through. Businesses commonly apply full blocks to reserve accounts, tax accounts, escrow, or any account that shouldn't see outside debit activity at all. The tradeoff is rigidity.; if a legitimate provider needs to debit a blocked account, someone on your team has to remove the block, route the payment elsewhere, or create a bank-side exception.

An ACH filter is a more nuanced control. Instead of rejecting everything, the filter checks each incoming debit against a list of approved originators. The list typically includes the originator's ACH company ID, name, debit type, and often a maximum dollar amount per transaction or period. A payroll provider might be approved up to a ceiling that covers a normal pay run. A SaaS vendor might be approved for the exact monthly subscription amount. Anything that doesn't match the approved list gets blocked or sent for review.

What is ACH Positive Pay?

Many banks pair ACH filters with a service called ACH Positive Pay. Where a filter makes the allow-or-block decision automatically, Positive Pay routes mismatched debit attempts to your team for a manual approve-or-reject decision before the bank settles them.

ACH Positive Pay can be useful when you want oversight without pre-approving every new vendor in writing, but it comes with a tradeoff: the exception window is usually short, and if no one reviews the alert in time, the debit either posts or returns based on the default you've set. For finance teams that already have an end-of-day review habit, it's a strong control. For teams that don't, it can become unnecessary noise.

How ACH Blocks and Filters Work in Practice

When someone submits an ACH debit against your account, it doesn't show up at your bank as a finished transaction. It travels through the ACH network in batches, and your bank (the Receiving Depository Financial Institution, or RDFI) has a short window to decide what to do with it before it settles. ACH blocks and filters are the rules your bank applies during that window. Here's what happens at each stage:

How an Incoming ACH Debit Reaches Your Account

ACH debits start with an Originating Depository Financial Institution, the bank that submits the entry on behalf of the originator (your vendor, payroll provider, or whoever is pulling funds). Those entries get batched and sent to the ACH operator, either the Federal Reserve's FedACH service or The Clearing House's EPN. The operator sorts the entries by destination and forwards each one to the RDFI that holds the target account.

When the entry arrives at your bank, it carries a standard set of fields: the originator's ACH company ID, the originator name as filed, the debit amount, the Standard Entry Class code (a code denoting the purpose of the debit), and the destination account and routing numbers. Your bank uses those fields to identify the account being debited and to look up any controls you've configured on it.

What Happens When a Debit Hits an ACH Block

If the destination account has an ACH block in place, the lookup is short. The bank checks the account's debit settings, sees that ACH debits are not permitted, and rejects the entry. The rejection is sent back through the ACH network as a return code, typically R29 ("Corporate Customer Advises Not Authorized") for blocked corporate accounts. The funds never leave the account, and the originator's bank receives the return within the standard ACH return window.

What Happens When a Debit Hits an ACH Filter

With a filter, the bank's lookup is more involved. The incoming debit's company ID and originator name are compared against the approved list on the account. If the originator matches an approved entry and the amount falls within any configured dollar limits, the bank allows the debit to post, money moves from your account on settlement date, and the transaction appears in your activity feed like any other ACH debit.

If the originator doesn't match, or matches but exceeds the dollar limit, the filter blocks the entry. With a plain filter, the bank issues a return (again typically R29) and the funds stay in your account. With ACH Positive Pay layered on top, the bank instead holds the entry as an exception and presents it to your team through the treasury portal before the cutoff. Your team can approve it, reject it, or let the exception window expire. If the window expires, then the bank falls back to whatever default you configured, either approve or return.

Why the Timing of the Return Window Matters

The ACH return window for unauthorized corporate debits is short, typically two banking days from the settlement date, and same-day for ACH Positive Pay exception decisions. If a debit posts because no one reviewed an exception in time, the recovery path becomes more complicated. You can still file a return for unauthorized activity, but the burden of proof shifts and your bank may require written affidavits or additional documentation. This is the reason ACH controls are often described as "pre-settlement" tools. Once the money moves, the process of getting it back is materially different, even when the underlying debit was clearly not authorized.

6 Steps to Set Up ACH Blocks and Filters

Most of the work in setting up ACH blocks and filters isn't technical. What takes real time is the prep work around it: knowing which originators actually debit your accounts, deciding which accounts need which kind of control, and ensuring legitimate payments don't get caught in the filter. Here’s how to set it up properly:

1. Map your current ACH debit activity

Before touching any controls, pull at least 90 days of ACH debit activity across your accounts. For each recurring originator, note the name as it appears in the ACH file (not the brand name on their website, which is often different), the expected timing, the typical dollar range, and the internal owner of the relationship. This list is what you'll use to build the filter, and it's the step that prevents the most common setup mistake: accidentally blocking a critical payment because no one realized it ran on ACH.

2. Decide which accounts get which level of control

Not every type of account deserves the same treatment. Some accounts will expect more pulls than others, so putting a block on a heavily used operational account may not be the best solution. Usually, the setup looks something like this:

Reserve, tax, and escrow accounts get full ACH blocks. These accounts shouldn't see outside debits, period.
Operating accounts that handle vendor payments get filters with a maintained approved list.
Collections or merchant-processor accounts may need separate monitoring rules depending on how processors interact with them.

3. Collect approved originator details

For each approved vendor, gather the ACH company ID, the exact originator name as it appears in ACH files, the debit type, and a sensible dollar limit. The company ID is the field that matters most. Brand names change, and parent companies often submit ACH entries under names that look nothing like the consumer-facing brand. A filter built on brand names will reject legitimate debits and create noise. A filter built on company IDs will not.

4. Set dollar limits where your bank supports them

If your bank allows per-transaction or per-period dollar limits, use them. A vendor approved for a $400 monthly software subscription doesn't need permission to debit $40,000. Set ceilings with enough room for normal variation (usage-based billing, payroll cycles with bonuses, quarterly tax payments), but no more than that. Outdated ceilings are one of the most common ways filters quietly stop working: a vendor's contract changes, the ceiling stays the same, and either legitimate payments fail or limits get raised so high they no longer constrain anything.

5. Assign exception ownership

Controls work when someone owns them. Decide who reviews unmatched debit attempts, who has authority to approve a new originator, and who updates the list. Name a backup. Document the workflow. Exception windows for ACH Positive Pay are often same-day, so unowned queues quickly become problems. This usually sits with finance, accounting, or treasury, with department owners flagged for visibility on vendors they manage.

6. Reconcile against your accounting records

Once filters are live, every approved debit should tie back to something real: an invoice, a payroll run, a tax remittance, a loan payment. Build the reconciliation into your monthly close. Approved debits that can't be tied to a record are worth a second look, even when they came from an approved originator. Slash integrates with QuickBooks Online, NetSuite, Xero, and Sage Intacct with two-way sync, which helps keep transaction data aligned with the books and can make recurring debit activity easier to audit against current vendor lists.

Accounting that updates itself

Connect QuickBooks or Xero and stay in sync.

Get Started

What the 2026 Nacha Fraud Monitoring Rules Mean for ACH Controls

Nacha's 2026 fraud monitoring amendments represent the biggest regulatory shift in years. Instead of the older, narrow requirement to screen only WEB debits and micro-entries for fraud, originators now have to implement risk-based processes designed to identify any ACH entry suspected of being unauthorized or authorized under false pretenses. RDFIs (receiving banks) face parallel obligations on the credit side, intended to catch credit-push fraud where money is sent out of accounts under false pretenses.

For finance teams running ACH controls at a business, the practical implications are these:

ACH blocks and filters remain a foundational layer of debit protection, and the new rules don't replace them. But Nacha's framework explicitly recognizes that traditional tools like debit blocks and Positive Pay can't catch every newer attack pattern, particularly authorized-but-fraudulent outbound payments.
Banks are under more scrutiny to detect anomalous activity on both sides of the ledger. Expect more queries from your bank about unusual transactions, and more exception alerts to review.
Internal fraud risk assessments are becoming the baseline expectation, not a nice-to-have. The Nacha guidance asks originators to evaluate their own ACH vulnerabilities and design controls accordingly.

The takeaway is that ACH blocks and filters are necessary but no longer sufficient. The 2026 rules push businesses toward continuous, behavior-based monitoring on top of static allow lists.

Common ACH Blocks and Filters Mistakes to Avoid

Overindexing your blocks and filters can end up causing your business more trouble than it's worth. You may be protected, but you can prevent legitimate payment activity from happening, slowing down operations and forming bottlenecks in your controls. Here are some common challenges you may encounter with setting up ACH blocks and filters:

Treating blocks and filters as complete fraud protection: These controls prevent a specific category of attack: unauthorized debits from unapproved originators. They don't catch fraudulent invoices from real vendors, BEC scams that trick someone into initiating a credit, or social engineering of internal staff. The controls are a checkpoint, not the whole system.
Letting the approved list go stale: Vendors change processors, get acquired, or rebrand. Filter lists frozen in 2022 are catching legitimate debits in 2026 and approving originators no one remembers signing up. Tie filter review to vendor offboarding and contract renewals so the list reflects current relationships.
Turning controls on without telling anyone: A finance team that activates strict filters without warning department heads can break payroll, miss tax deadlines, or fail an insurance premium. Run a short internal review with department owners before flipping anything on, and ask them to flag recurring pulls that might not be obvious from the vendor name.
Building the filter on brand names instead of company IDs: ACH files use originator company IDs, which often don't match the brand on a vendor's website. Brand-based filters generate false positives and create exception queues that nobody trusts.

Manage Payment Activity with More Control with Slash

Unauthorized debits are a recoverable problem when controls are in place before settlement, and an expensive one when they aren't. The first step to managing ACH risk is having the controls themselves, and the second is having real-time visibility into how your finances are moving.

Slash gives finance teams direct control over ACH activity with built-in safeguards.¹ Incoming debits run against a vendor allow-list before settlement, with configurable company IDs, subaccount restrictions, and per-transaction thresholds. Outbound transfers enforce per-transaction and rolling limits across ACH, RTP, wire, and international wire. Every change to a limit or authorization rule is logged with who, when, what, and why automatically.

Other ways that Slash can elevate how you move and manage your money include:

Slash Visa® Platinum Card: Set customizable spending controls and issue unlimited virtual cards for team expenses, vendor payments, subscriptions, and more. Earn up to 2% cash back on business purchases.
Diverse payment methods: Send and receive global ACH, wire transfers to over 180 countries, and real-time payments on RTP and FedNow networks.
Stablecoin payments: Send and receive USDC and USDT across eight supported blockchains for faster, lower-cost global payments compared to traditional rails.⁴
Accounting & ERP integrations: Sync transaction data with QuickBooks Online, NetSuite, Xero, or Sage Intacct to streamline reconciliation, reporting, and month-end close.
AI-powered finance: Slash comes with Twin, a built-in AI agent that can be prompted with natural language to create cards, pay invoices, review cash flow, and more.

Choosing the right platform can give you more confidence in how you manage your money. Get started with Slash today to see how it supports your payments.

Apply in less than 10 minutes today

Join the 5,000+ businesses already using Slash.

Frequently Asked Questions

Where do you configure ACH blocks and filters?

You configure them through your business bank's treasury management portal, fraud prevention service, or directly with your relationship manager. The exact location varies by bank, and some institutions require you to enable the service before any controls are visible in the portal.

Do ACH blocks and filters stop ACH credits?

No. Blocks and filters apply to debit entries, where another party pulls money from your account. ACH credits, where money is pushed in, are handled separately. With the 2026 Nacha rules, receiving banks now have new obligations to monitor inbound credits for fraud, but the control mechanics are different from debit blocks and filters.

Who should manage ACH blocks and filters inside a business?

Finance, accounting, or treasury teams typically own them, since those teams understand vendor relationships, recurring payment timing, and account structure. The owner should review exception queues regularly, maintain the approved originator list, and coordinate with department heads when vendors or billing arrangements change.