ACH positive pay explained: debit blocks, filters, and how it differs from check positive pay

Most fraud-prevention talk in business banking centers on checks, but a growing share of unauthorized debits never involves a check at all. They come through the ACH network: a vendor that keeps drafting your account after a contract ends, a fraudster who got hold of your routing and account number off the bottom of a check, or a recurring charge you never approved. ACH positive pay is the control banks offer to stop those. This page explains what it does, how the underlying pieces (debit blocks and filters) actually work, and where it differs from the check positive pay process that PositivePayMaker helps with.

What ACH positive pay is

ACH positive pay is a treasury service that screens incoming ACH debits against rules you set, then either pays, blocks, or flags each one for your review. It is built on two older controls that many banks still offer on their own:

• ACH debit block. The blunt instrument. Every incoming ACH debit to the account is returned to the originating bank, with no exceptions. This is common on accounts that should never be drafted, such as a payroll-only or deposit-only account.
• ACH filter. A whitelist. The account blocks all ACH debits except those from originators you have pre-approved. Each incoming debit is checked against your approved list, typically by the originator's 10-digit ACH company ID, often combined with the debit type, the Standard Entry Class (SEC) code, and a maximum dollar amount. If the entry matches an approved rule and stays within your limit, it posts. If not, it is blocked.

ACH positive pay layers review on top of the filter. Instead of silently blocking a debit that does not match your list, the bank holds it as an exception and notifies you, usually by email, text, or an alert in online banking. You then approve or return it before settlement. Many banks also let you turn an approved one-off into a standing rule so the same originator clears automatically next time.

How it differs from check positive pay

The two services share a name and a goal, but they work on different payment rails and rely on different data.

• The payment type. Check positive pay matches paper and electronically converted checks you wrote. ACH positive pay screens electronic debits pulled from your account through the ACH network.
• What you submit. For check positive pay you upload a check issue file, a list of every check you wrote with its number, amount, date, and often the payee name. That is the file our tool builds from your check register. ACH positive pay needs no issue file. You maintain a list of approved originators and rules, not a list of individual transactions.
• What triggers an exception. Check positive pay flags a check whose number, amount, or payee does not match your issue file (and flags checks not on the file at all). ACH positive pay flags a debit from an originator or amount you have not authorized.
• The clock. Both services give you a same-day or next-day window to decide on exceptions, but the ACH return deadlines are governed by Nacha rules. For most corporate debits (CCD and CTX), an unauthorized entry has to be returned so it reaches the originating bank by the opening of the second business day after settlement. In practice your bank's daily exception cutoff is what you have to hit, and unreviewed items fall to a default of either pay or return that you set in advance.

A business that writes checks and gets drafted by vendors usually wants both services. They cover different attack surfaces and do not overlap.

Setting up ACH positive pay

This is a bank-side service, so the setup happens through your bank's treasury or business banking team, not through a file you generate. The general path:

1. Ask your bank what they offer. The feature may be called ACH positive pay, ACH debit block, ACH filter, or be bundled into a fraud-prevention or "business security" suite. Smaller banks and credit unions often run it on a treasury platform from a vendor such as Q2, Centrix, Fiserv, or FIS, but the service is the same regardless of who powers it.
2. Decide the default. Choose whether unreviewed exceptions default to pay or return. Return is the safer default for a tightly controlled account; pay reduces the risk of bouncing a legitimate vendor if you miss a day.
3. Build your approved-originator list. Pull a few months of statements and note every legitimate ACH debit: the originator name, the company ID, and a sensible maximum amount. Common ones are payroll providers, merchant-services fees, insurance, utilities, and tax payments.
4. Set up alerts. Route exception notices to a person who checks them every business morning. The service only works if someone acts inside the daily window.
5. Run it for a cycle and adjust. Expect a few legitimate debits to get flagged at first. Approve them and add standing rules so the noise drops.

Because the rules and exception decisions live entirely inside your bank's portal, there is no register-to-file conversion step here, and no third-party file to format. That is the opposite of check positive pay, where the formatting is the hard part.

Where PositivePayMaker fits (and where it does not)

To be clear about scope: PositivePayMaker does not set up or manage ACH positive pay. That is a service you enroll in directly with your bank. What our tool handles is the other half of the fraud-prevention picture, check positive pay, where the work is turning your check register into the exact issue file your bank expects.

QuickBooks cannot export a positive pay file on its own, and most banks require a specific column order or fixed-width layout. PositivePayMaker is a free, 100% in-browser tool that converts a CSV or Excel register into that file. Your check data never leaves your computer. It ships with 11 bank layouts, a custom format builder for matching any spec your bank publishes, and a file validator to catch problems before you upload. If you want a worked example, the QuickBooks positive pay guide walks through exporting the register and mapping the fields.

If you need ACH file automation specifically

Because ACH positive pay is bank-managed, there is rarely a file to generate, so a converter tool is not usually what you need. But if your bank does require an uploaded ACH file for some workflows and you want desktop automation, paid tools exist. Treasury Software's Bank Positive Pay is an installed Windows product (roughly $29.95 to $89.95 per month depending on edition) with 350+ bank layouts. Big Red Consulting's PositivePay File Creator is a Windows tool (about $119 the first year, then $99 a year) aimed at QuickBooks users, with the QuickBooks Online edition requiring Excel installed. Both lean toward check issue files rather than ACH controls, and either can make sense for higher-volume shops that want a fixed install. Check current pricing and feature lists on each vendor's site before buying.

Verify the first file with your bank

This holds for any positive pay work. Whenever you generate a check issue file (with our tool or any other), upload your first one and confirm with your bank that it imported cleanly before you rely on it. A single wrong column or date format can cause every check to flag as an exception. For ACH positive pay, the equivalent check is to watch your first full cycle of exceptions and confirm legitimate vendors are clearing and unknown ones are getting caught.

Create your positive pay file