Over the past two weeks, our publication — Extracted — has documented a structural failure in America’s payment network infrastructure. A failure that has enabled billions of dollars in criminal usury to flow through the ACH network, with unconditional bank warranties behind every transaction, and a fee collected by every institution in the chain.

The evidence is not ours alone.

The New York Attorney General secured a $1.065 billion judgment against the Yellowstone Capital network — the largest state enforcement action against predatory lending in history. 18,000+ small businesses. 87,180 agreements. Zero reconciliations. Effective interest rates up to 820%, with some exceeding 2,000%. Every dollar collected through the ACH network.

The FTC banned multiple MCA operators from the industry — RAM Capital Funding (2022), Richmond Capital Group (2022), and Jonathan Braun / RCG Advances (2024) — for deceptive practices, unauthorized withdrawals, and in some cases, threats of physical violence against small business owners.

The New Jersey Attorney General secured a $27.375 million settlement against Yellowstone entities for predatory lending disguised as cash advances.

Six enforcement actions. Three agencies. Three years. All public. All documented. All naming the same pattern: fixed daily or weekly ACH debits collected under variable-formula authorizations that were never applied — criminal usury disguised as receivables purchases.

What Our Analysis Has Added

Extracted has published three detailed analyses examining how this pattern operates within the existing regulatory and payment network framework:

The Enforcer, the Fence, and the Keeper examined how the ACH network’s governance structure turns banks into the enforcer of predatory collection, the processor that launders the legal character of the proceeds, and the gatekeeper that blocks their return. We submitted seven specific questions to Nacha CEO Jane Larimer. Nacha answered none of them.

Stand the Post analyzed Nacha’s written response — what it said, what it omitted, and what it confirms about who is standing watch over an $86 trillion network. Nacha’s CEO, on the record, described herself as the “governor” of the ACH network, responsible for “risk management and rules enforcement.” Nacha’s written response to our publication described “guidance and education.” Both are on the record. One must be true.

Anatomy of One Pull followed a single ACH debit from initiation to settlement and identified 17-21 potential federal and state criminal violations across five parties — the originator, the Third-Party Sender, the ODFI, Nacha, and the RDFI. Every party in the chain was compensated. The only party that lost money is the small business owner.

The Structural Gap

What no enforcement action, no legislation, and no regulator has yet addressed is the payment network infrastructure that makes the extraction mechanically possible.

Nacha’s Operating Rules are incorporated by reference into federal regulation through 31 C.F.R. Part 210. The OCC, FDIC, Federal Reserve, and FinCEN have each incorporated Nacha’s framework into their examination guidance. Federal banking examiners use Nacha’s rules as the compliance standard. Nacha actively participated in the rulemaking processes through which this incorporation occurred.

Yet Nacha — a 501(c)(6) trade association with $26.8 million in revenue, 77 employees, and a CEO compensated at over $1.1 million — has no merchant-accessible complaint mechanism, no statutory enforcement authority, and no congressional oversight. Its board includes representatives of the very institutions it is supposed to hold accountable. And when presented with documented evidence of criminal activity flowing through its network, its enforcement process responded in eleven minutes with one sentence: “Nacha only accepts violations from financial institutions.”

The federal government incorporated a trade association’s rulebook as the governing standard for an $86 trillion payment network — without requiring that the trade association have independent funding, a merchant-accessible enforcement mechanism, or any accountability to the public it purports to protect.

Senators Rubio and Brown recognized part of this problem when they introduced the Small Business Lending Fairness Act — four times. That legislation addressed confessions of judgment. It did not address the payment network infrastructure that makes the extraction mechanically possible. That infrastructure — the ACH network, the ODFI warranty, the BSA monitoring obligation — falls squarely within the jurisdiction of both of your committees.

Three Unanswered Questions

We have posed these questions publicly. Nacha has not answered them.

1. Can a bank, serving as an ODFI, legally process multiple, sequential, fixed-debit, criminally usurious MCA payments between the same two parties while maintaining compliance with Nacha’s Operating Rules and federal regulatory requirements?

2. After the New York Attorney General’s enforcement action proved that criminal usury was riding the ACH network at scale — what did Nacha do to help ensure its network was not continuing to enable the very activity the NYAG documented?

3. What did Nacha know about the predatory MCA pattern flowing through the ACH network — and when did Nacha know it?

What We Respectfully Request

We respectfully request that the committees consider the following:

First: Examine whether Nacha’s governance and enforcement capacity is adequate for an organization whose rules carry the force of federal regulation — and whether an organization funded by per-entry fees collected on the very transactions its rules are supposed to prevent can credibly serve as the network’s enforcement authority.

Second: Direct federal banking examiners to query ODFI origination patterns for the predatory MCA signature — identical fixed-amount debits, daily or weekly, under variable-formula authorizations, between the same parties. This query requires no new legislation, no new regulation, and no new technology. It requires arithmetic.

Third: Request that the Government Accountability Office assess whether the BSA’s “reason to suspect” standard has been triggered industry-wide by the six concluded enforcement actions — and whether the current federal examination framework adequately addresses the ODFI origination patterns that are the mechanical signature of predatory MCA collection.

The Evidence Is Public

Every claim in our analysis is sourced from public records, federal statutes, the Nacha Operating Rules, and concluded enforcement actions. Every article is published and available:

• The Enforcer, the Fence, and the Keeper

• Stand The Post

• Anatomy of One Pull

• The New York Attorney General’s Yellowstone Enforcement Action:

  https://ag.ny.gov/press-release/2025/attorney-general-james-announces-1-billion-settlement-predatory-lender

The rules exist. The laws exist. The pattern is arithmetic. The human cost is documented — including a small business owner who was told by an MCA representative that death was the only escape from his debts, and who attempted to take his own life. He survived. The representative later testified: “I made a lot of money on the guy.”

These questions have been asked publicly through our publication, on social media, and now to the committees with direct oversight jurisdiction. They will continue to be asked — with increasing specificity and to an increasing audience — until they are answered.

The human cost is staggering. And it’s still happening.

Respectfully,

Extracted

To see my other work, visit Extracted. An excerpt from “The Perfect Lap” captures the heart of what My Desert, my recently completed book, explores: the journey from striving to alignment, from performing to being present. The full book traces forty years of wandering through what I call the spiritual desert—learning to distinguish between the God we construct and the God who actually shows up. My Desert will be available this summer.

The Scene

It is a Tuesday morning. An ACH debit hits a small business checking account. The amount is the same as last week. And the week before. And every week for the past three months.

The debit is initiated by a merchant cash advance operator. The authorization on file references a “Future Receivables Purchase and Sale Agreement” and permits debits “up to” a specified ceiling “pursuant to” the agreement’s terms. The agreement defines the payment obligation through a Specified Percentage of the merchant’s actual receivables — a formula that, if applied, would produce a different amount each period based on what the business actually earned.

The formula was never applied. The amount never varied. The “good faith approximation” set at origination became the permanent collection amount. No reconciliation was performed. The effective annualized interest rate, calculable from the face of the agreement in approximately ninety seconds, exceeds 400%.

This is one debit. One entry. One line on a bank statement.

What follows is an examination of every party that touched this transaction — and the potential federal and state criminal statutes each one implicates.

I. The Originator — The MCA Operator

The originator initiates the debit. In this transaction, the originator is a merchant cash advance operator collecting under an agreement the New York Attorney General has established — across multiple enforcement actions — constitutes criminal usury when administered with fixed payments under a variable-formula authorization.

Criminal Usury — State Law

The effective annual interest rate on this transaction exceeds 400%. New York’s criminal usury threshold is 25% per annum (N.Y. Penal Law § 190.40). Florida’s criminal usury threshold is 25% (Fla. Stat. § 687.071). The rate on this transaction exceeds the usury ceiling of every state that has one. This is not a borderline case. The arithmetic is on page one of the agreement.

The NYAG’s Yellowstone investigation documented effective rates ranging from 250% to over 820% — with some exceeding 2,000% — across 87,180 agreements. Zero reconciliation refunds were issued. The “receivables purchase” label existed in every contract. It was never operationalized in any of them.

Wire Fraud — 18 U.S.C. § 1343

Each ACH debit is an interstate wire transmission. When that transmission is used to further a scheme to defraud — collecting money under an agreement that misrepresents itself as a receivables purchase while operating as a fixed loan — each transmission is a separate act of wire fraud.

The misrepresentation is not incidental to the transaction. It is the transaction. The entire legal architecture of the MCA — the avoidance of usury law, the avoidance of lending regulation, the avoidance of disclosure requirements — depends on the representation that this is a receivables purchase. When the agreement says “receivables purchase” and the operation says “fixed loan,” every collection made under that misrepresentation is wire fraud.

Collection of Unlawful Debt — 18 U.S.C. § 1962

Under RICO, the collection of an “unlawful debt” is a predicate act. An unlawful debt is defined under 18 U.S.C. § 1961(6) as a debt incurred in connection with the business of lending money at a rate usurious under state or federal law, where the usurious rate is at least twice the enforceable rate. At 400%+ against a 25% ceiling, the rate on this transaction exceeds the enforceable rate by a factor of sixteen. Every collection — every weekly or daily debit — is a separate predicate act.

Potential originator-level violations on this one pull: 3

II. The Third-Party Sender — The Processor

In many predatory MCA transactions, the originator does not have a direct relationship with the ODFI. Instead, a Third-Party Sender — a payment processor — aggregates MCA originators and manages their ACH activity through its own relationship with the ODFI. The TPS is the door through which the originator accesses the banking system.

A Critical Point: The Third Party Sender Shields No One

A common misconception — and a common defense — is that the presence of a Third-Party Sender between the originator and the ODFI creates distance that reduces the ODFI’s obligations. It does not. Under Nacha Operating Rules § 2.2.2, the ODFI is responsible for every originator that reaches the network through it, whether directly or through a Third-Party Sender. The ODFI’s § 2.4.1.6 warranty — that the amount is due and owing from the receiver to the originator — runs to the originator, not to the TPS. The TPS is not a party to the warranty. The warranty is a direct representation about the relationship between the MCA operator and the merchant. The TPS does not absorb, redirect, or diminish that obligation. It adds a layer of required compliance — its own independent BSA/KYC obligations — rather than excusing any.

Restacking the Originator’s Crimes

The TPS does not merely add its own violations to the chain. It restacks every originator-level crime by serving as the conduit through which those crimes reach the ACH network. Without the TPS, the originator cannot access the ODFI. Without the ODFI, the originator cannot access the ACH network. The TPS is the bridge — and every crime that crosses the bridge crossed through the TPS.

When a TPS transmits an ACH entry on behalf of a predatory MCA originator, it is facilitating:

• Wire fraud — transmitting the interstate wire communication that effectuates the fraudulent collection

• Money laundering — moving proceeds of unlawful activity (criminal usury) into the banking system through a financial institution

• Collection of unlawful debt — enabling the collection of criminally usurious debt through the payment network

Independent BSA/KYC Failures

The TPS has its own obligations under the Bank Secrecy Act. FinCEN’s guidance on third-party payment processors (FIN-2012-A010) makes clear that processors have independent BSA/AML obligations, including customer due diligence on the originators they aggregate.

If the TPS onboarded this originator without adequate due diligence — without reviewing the agreement, without calculating the effective interest rate, without checking whether the originator’s principals have regulatory histories (such as a permanent FINRA bar) — the TPS failed its own compliance obligations before transmitting entry one.

After the NYAG’s Yellowstone enforcement action, the FTC’s actions against Richmond Capital Group and RAM Capital Funding, and the New Jersey AG’s settlement — all public, all documented, all naming the predatory MCA pattern — the TPS has constructive knowledge that the pattern it is facilitating has been proven to represent criminal conduct. The “reason to suspect” standard under § 5318(g) is satisfied not by knowledge of this particular originator, but by knowledge that this pattern has been publicly established as criminal.

Potential TPS-level violations on this one pull: 4-5 (facilitating wire fraud, facilitating money laundering, facilitating collection of unlawful debt, independent BSA/KYC failure, SAR failure)

III. The ODFI — The Originator’s Bank

The ODFI transmits the entry into the ACH network. In doing so, it places its unconditional warranty behind the transaction — warranting, among other things, that the amount debited is “due and owing” from the receiver to the originator. This is the institution whose federal charter, FDIC insurance, and Federal Reserve access make the entire transaction possible.

False Warranty — Nacha Operating Rules § 2.4.1.6

The ODFI’s due and owing warranty is false on this entry. As detailed in the companion article “Stand The Post,” the warranty fails across five independent prongs:

1. The arithmetic. The amount debited was never calculated under the agreement’s operative formula. A “good faith approximation” that was never reconciled is not a fixed and settled obligation.

2. Legal validity. A criminally usurious obligation is void or unenforceable in every U.S. jurisdiction. An amount calculated under a void obligation cannot be “due and owing.”

3. Payee entitlement. An entity collecting under a criminal usury scheme is not legally entitled to receive payment. The amount cannot be “due and owing” to a party the law prohibits from collecting it.

4. KYC/BSA. The warranty runs “to the Originator from the Receiver.” That directional specificity requires the ODFI to know who the originator is. If the ODFI has not performed adequate Customer Due Diligence on the originator — has not verified its legitimacy, its principals, its regulatory history — the warranty is hollow.

5. Unconditional. The warranty contains no knowledge carveout, no good-faith exception, no materiality threshold. The ODFI did not warrant that it believed the amount was due and owing. It warranted that it is.

The warranty was false. On every prong. On this entry and on every entry before it.

BSA/AML Program Failure — 31 U.S.C. § 5318(h)

The Bank Secrecy Act requires every financial institution to maintain an anti-money laundering program with internal policies, procedures, and controls reasonably designed to detect suspicious activity. The program must account for known typologies.

The predatory MCA pattern — identical fixed debits, daily or weekly, same originator, same receiver, under a variable-formula authorization — is a known typology. It has been established as such through six separate enforcement actions across three agencies over three years. If the ODFI’s AML program is not configured to flag this pattern, the program does not meet the BSA’s “reasonably designed” standard.

SAR Failure — 31 U.S.C. § 5318(g)

Financial institutions must file Suspicious Activity Reports when they know, suspect, or have reason to suspect that a transaction involves funds derived from illegal activity or is designed to evade reporting requirements. After the enforcement timeline documented below, every ODFI in the country has “reason to suspect” that the predatory MCA pattern represents criminal conduct. If no SAR was filed on this entry or the pattern of entries preceding it, the ODFI failed its mandatory reporting obligation.

Willful BSA Violation — 31 U.S.C. § 5322

Willful failure to maintain an adequate AML program or to file required SARs is a federal crime carrying penalties of up to ten years imprisonment and fines of up to $500,000 per violation. Federal prosecutors have demonstrated — through TD Bank ($3 billion, 2024), Rabobank ($369 million, 2018), and USAA FSB ($140 million, 2023) — that systematic BSA monitoring failures are treated as criminal matters when the pattern is sustained and the volume is significant.

The predatory MCA origination pattern is more mechanically visible than most SAR triggers. It requires only arithmetic to identify. If the ODFI’s monitoring system is not configured to flag it, that is not an oversight. It is a design choice.

Money Laundering — 18 U.S.C. § 1956 / § 1957

The ODFI’s routing number and warranty do not merely facilitate the collection. They transform the legal character of the proceeds. Each ACH entry bearing the ODFI’s routing number carries into the mainstream financial system an unconditional institutional representation that the transaction is legitimate. When the underlying obligation is criminal usury, the ODFI’s warranty converts the proceeds of an unlawful debt into institutionally certified, Fed-settled credits. That conversion is the laundering.

Under § 1957, receiving or transmitting proceeds of specified unlawful activity through a financial institution in amounts exceeding $10,000 is a federal crime. Under § 1956, conducting a financial transaction involving proceeds of specified unlawful activity to promote that activity or conceal its origins is money laundering — carrying up to twenty years imprisonment.

KYC/Customer Due Diligence Failure

The ODFI’s origination relationship with the MCA operator is a customer relationship subject to BSA’s Customer Due Diligence requirements. If the originator’s principal has a publicly searchable regulatory history — such as a permanent FINRA bar, discoverable in thirty seconds on BrokerCheck — and the ODFI did not identify it, the ODFI failed its CDD obligations before transmitting entry one.

The “We Are Just a Processor” Defense

The ODFI’s anticipated response to everything above is some version of: “We are just a processor. We move money. We didn’t originate the loan. We didn’t set the interest rate. We didn’t draft the agreement. We are not the criminal actor here.”

This defense fails on the ODFI’s own terms — and under the ODFI’s own rules.

The ODFI is not “just” anything. It is a federally chartered, federally supervised, FDIC-insured institution that voluntarily accepted participation in the ACH network and, in doing so, accepted the unconditional warranty obligations that participation requires. It warranted — not suggested, not estimated, not approximated — that the amount in this debit is due and owing. It made that warranty without condition. It made it on every entry. And it made it as a representation to every other institution in the settlement chain.

A bank that places its unconditional warranty behind a transaction is not a passive processor. It is an active certifier. The warranty is the bank’s institutional endorsement — transmitted through the Federal Reserve — that this transaction is legitimate. When it is not legitimate, the warranty is not an administrative formality. It is a false certification by a regulated institution.

The companion article “Stand The Post” addresses this defense in comprehensive detail, including the State A / State B compliance binary that eliminates the middle ground: the ODFI either read the agreement and knew, or didn’t read it and warranted blindly. Both states produce the same legal conclusion.

Potential ODFI-level violations on this one pull: 6-7 (false warranty, BSA/AML program failure, SAR failure, willful BSA violation, money laundering under § 1956, money laundering under § 1957, KYC/CDD failure)

IV. Nacha — The Governance Layer

Nacha is not a direct party to this transaction. It does not process entries, does not hold accounts, and does not transmit funds. But Nacha occupies a unique position in the architecture — and that position creates unique exposure.

Revenue from the Transaction

Nacha collects a per-entry fee on every ACH transaction its network processes. This entry generated revenue for Nacha. The entries that generate those fees could not have been originated if the rules those fees fund were actually enforced. The revenue and the enforcement obligation are in structural conflict.

Federal Incorporation by Reference

Nacha’s rules are not merely private trade association guidelines. They are incorporated by reference into 31 C.F.R. Part 210, governing federal government ACH transactions. The OCC, FDIC, Federal Reserve, and FinCEN have each incorporated Nacha’s framework into their examination guidance. Nacha did not accept this incorporation passively — it participated in the rulemaking processes through which its rules were adopted as the federal standard.

When an organization actively participates in making its rules the federal regulatory standard, derives revenue from every transaction those rules govern, and publicly claims enforcement authority through its CEO — and then declines to act on documented knowledge that criminal activity is riding its network at scale — the question is no longer limited to governance failure.

Potential Exposure

The combination of knowledge (six public enforcement actions documenting the pattern), authority (self-described governor and enforcer), revenue (per-entry fees on every predatory MCA debit), and inaction (eleven minutes, one sentence, “guidance and education”) creates potential exposure under:

• Aiding and abetting (18 U.S.C. § 2) — facilitating ongoing criminal activity through deliberate inaction while deriving revenue from its continuation

• Misprision of felony (18 U.S.C. § 4) — having knowledge of federal felonies occurring through its network and failing to report or act on that knowledge

This is not an assertion that Nacha committed a crime. It is an identification of exposure that the combination of knowledge, authority, revenue, and inaction creates — exposure that Nacha’s own CEO invited when she described herself as the governor and enforcer of the ACH network.

Potential Nacha-level exposure on this one pull: 2-3

V. The RDFI — The Small Business’s Bank

The RDFI receives the debit entry and posts it to the merchant’s account. The RDFI is the merchant’s bank — the institution that holds the account being debited.

BSA/AML Monitoring Obligations

The RDFI has its own BSA obligations. A pattern of identical debits — same amount, daily or weekly, draining a business account — should trigger transaction monitoring alerts. The RDFI may not know the details of the underlying MCA agreement, but the pattern on the face of the account is visible: recurring fixed debits of the same amount from the same originator, increasing in frequency or eroding the account balance to near zero on a recurring basis.

If the RDFI’s monitoring system is configured to flag unusual debit patterns on business accounts — as BSA requires — this pattern should surface. If it does not surface, the question is the same one asked of the ODFI: is the monitoring system inadequate, or is its output being disregarded?

Failure to Exercise Return Rights

Nacha’s rules give the RDFI the right to return an unauthorized ACH debit to the ODFI — typically within two banking days for business accounts via the R29 return code. This right is permissive, not mandatory. But when a merchant reports that the debits are unauthorized, or when the pattern itself raises flags the RDFI should be investigating, the failure to exercise the return right becomes part of the structural problem.

In at least one documented case, an ODFI responded to a proof-of-authorization request by stating it was “waiting for proof or permission to return” — from the originator. The bank that warranted the debit was legitimate was asking the party that collected the money whether it was permissible to give it back. The return mechanism, as practiced, conditions the merchant’s remedy on the originator’s consent.

Potential RDFI-level violations on this one pull: 2-3 (BSA monitoring failure, SAR failure, failure to exercise return rights)

VI. When “Reason to Suspect” Became Undeniable — The Enforcement Timeline

The BSA’s SAR filing obligation is triggered when a financial institution “knows, suspects, or has reason to suspect” that a transaction involves funds derived from illegal activity. The question for every institution in this chain is: when did you have reason to suspect?

The answer is not a single date. It is a timeline of public enforcement actions — each one naming the predatory MCA pattern, each one documented in the public record, each one adding to the constructive knowledge that every institution in the ACH chain now carries.

January 2022 — FTC v. RAM Capital Funding (Tzvi Reich) Permanent ban from MCA and debt collection industries. Unauthorized withdrawals. Seizure of personal and business assets. Threats of physical violence against small business owners. $675,000 settlement.

June 2022 — FTC v. Richmond Capital Group (Robert Giardina) Permanent ban from MCA and debt collection industries. Deceptive practices since at least 2015. Misrepresentation of terms. Unauthorized withdrawals. $2.7 million restitution.

December 2022 — New Jersey AG v. Yellowstone Capital LLC $27.375 million settlement. Predatory lending disguised as cash advances. Forgiveness of $21.7 million in outstanding balances. Operational reforms required.

September 2023 — NY AG v. Richmond Capital Group $77.3 million judgment. Interest rates up to 4,000% annualized — 250 times the legal limit. Required to stop collecting on outstanding debt.

February 2024 — FTC v. Jonathan Braun / RCG Advances $20.3 million judgment. Permanent industry ban. Threats of physical violence. Deceptive practices. Unauthorized withdrawals.

March 2024 — NY AG v. Yellowstone Capital LLC et al. $1.065 billion. 18,000+ small businesses. 87,180 agreements. Zero reconciliations. Effective interest rates up to 820%, some exceeding 2,000%. Confessions of judgment used to freeze merchant accounts without notice or hearing. The largest state enforcement action against predatory lending in history.

Six enforcement actions. Three agencies. Three years. Each one public. Each one naming the predatory MCA pattern. Each one establishing — through investigation, testimony, and transactional data — that fixed-payment MCA debits under variable-formula authorizations represent criminal usury.

After January 2022, an ODFI had reason to suspect. After December 2022, the reason was documented across two agencies. After March 2024, the reason was proven at a scale that admits no ambiguity — $1.065 billion, 87,180 agreements, zero reconciliations.

The ACH debit that hit the small business account this Tuesday morning — the one entry this article examines — was originated after every one of these enforcement actions. Every institution in the chain had constructive knowledge of what this pattern represents. The “reason to suspect” standard is not a question. It is a documented fact.

VII. The Count

One ACH debit. One Tuesday morning. One line on a bank statement.

At the originator level: Criminal usury. Wire fraud. Collection of unlawful debt. 3 potential violations.

At the Third-Party Sender level: Facilitating wire fraud. Facilitating money laundering. Facilitating collection of unlawful debt. Independent BSA/KYC failure. SAR failure. 4-5 potential violations.

At the ODFI level: False warranty. BSA/AML program failure. SAR failure. Willful BSA violation. Money laundering (§ 1956). Money laundering (§ 1957). KYC/CDD failure. 6-7 potential violations.

At the Nacha governance level: Aiding and abetting. Misprision of felony. 2-3 potential exposure areas.

At the RDFI level: BSA monitoring failure. SAR failure. Failure to exercise return rights. 2-3 potential violations.

Total: approximately 17-21 potential violations across five parties — on one transaction.

And every party in the chain was compensated for its role. The originator collected the debit. The TPS collected a processing fee. The ODFI collected an origination fee. Nacha collected a per-entry fee. The RDFI collected an account fee. Everyone in the chain got paid.

The only party that lost money is the small business owner.

VIII. The Multiplier

This transaction does not happen once. It happens daily or weekly — 52 to 260 times per year per merchant. Each occurrence is a separate transaction. Each one carries its own set of potential violations. Each one generates its own fees for every institution in the chain.

Under RICO, each collection of unlawful debt is a separate predicate act. Each wire fraud is a separate predicate act. The statute requires a “pattern of racketeering activity” — defined as at least two predicate acts within ten years. A single predatory MCA agreement can produce fifty-two predicate acts in its first year alone.

And this is one merchant. The NYAG documented 18,000+ victims across the Yellowstone network alone. The FTC documented additional victims across the Richmond Capital and RAM Capital networks. The industry deploys billions annually. The number of ACH entries fitting this pattern — across all originators, all ODFIs, all processors — is not in the thousands. It is in the millions.

Each one carried a warranty. Each one generated a fee. Each one was processed without question.

IX. The Close

It is still Tuesday morning. The debit has settled. The small business owner’s account is lighter by the same amount it was lighter last week, and the week before, and every week for months. The originator has been paid. The processor has been paid. The ODFI has been paid. Nacha has been paid. The RDFI has been paid.

Seventeen to twenty-one potential violations. Five parties. One second.

Multiply this one Tuesday morning across the industry — thousands of originators, millions of transactions, billions of dollars — and the number of potential criminal acts flowing through our nation’s ACH network is staggering. All warranted. All fee-generating. All processed without question.

We have asked Nacha a number of questions through this publication. Seven in detail. Two simple ones that remain unanswered. Now a third:

What did Nacha know about the predatory MCA pattern flowing through the ACH network — and when did Nacha know it?

Because the enforcement timeline above establishes that the pattern was publicly documented starting in January 2022. Nacha’s own rules were the framework every one of those transactions rode through. Nacha’s own per-entry fees were collected on every one of those transactions. And Nacha’s own CEO described herself as the governor and enforcer of the network those transactions traveled.

If the rules already prohibit this — if the laws already criminalize it — if the pattern is visible on the face of any bank statement and requires only arithmetic to identify — why is it still happening?

The human cost is staggering. And it’s still happening.

To see my other work, visit Extracted. An excerpt from “The Perfect Lap” captures the heart of what My Desert, my recently completed book, explores: the journey from striving to alignment, from performing to being present. The full book traces forty years of wandering through what I call the spiritual desert—learning to distinguish between the God we construct and the God who actually shows up. My Desert will be available this summer.

Standing the post means one thing: you don’t leave. You hold your position, you maintain watch, and you do not abandon the duty you were assigned — regardless of whether anyone is checking. Every institution in the ACH network has a post. Nacha described its own as governance, risk management, and rules enforcement. The ODFIs accepted theirs when they signed the operating rules and began warranting every entry they originated. This article examines whether anyone is standing watch.

This is a companion to The Enforcer, the Fence, and the Keeper, which argued that Nacha has built a governance structure in which banks simultaneously function as the enforcer that makes predatory MCA extraction irresistible, the fence that launders unlawful loan proceeds into the mainstream financial system, and the keeper that blocks or delays their return. That article submitted seven specific questions to CEO Jane Larimer. Nacha’s communications department responded with four paragraphs that did not answer any of them.

This article does three things. First, it examines each of Nacha’s four substantive claims — what each says, what each omits, and what each confirms. Second, it maps Nacha’s response against the seven questions actually asked, identifying precisely what was answered, what was partially addressed, and what was ignored entirely. Third, it presents the evidence — now part of the public record through a concluded state enforcement action — that establishes what Nacha’s ODFI members are required to do under the Bank Secrecy Act when they encounter the fixed-payment MCA pattern flowing through their ACH origination infrastructure.

A word before the analysis begins. It is highly likely I am not 100% correct in this analysis — nor would I dare suggest I could be. But here is what I do know. There is a pattern. It is a clear pattern. And often, that pattern is a signal of criminal activity. That much is not my opinion — it is proven, by the New York Attorney General. The question is not whether I am 100% right. The question is whether our regulated financial institutions, and Nacha, can avoid asking the far easier questions in the normal conduct of their business.

NACHA’S COMPLETE RESPONSE — REPRODUCED IN FULL

Received from Nacha’s communications department in response to seven questions submitted to CEO Jane Larimer prior to publication. Reproduced without editing or omission.

Nacha’s role is to set and maintain the Operating Rules that support consistent and efficient ACH payment processing within an interbank payment system. Nacha also provides guidance and education to help participants understand their roles within the ACH Network. Nacha does not process any ACH payments and does not have access to information about individual payments.

Please note, however, that there are a number of incorrect assertions and conclusions in your draft.

The Nacha Operating Rules are the foundation for every ACH payment. The Rules define the roles and responsibilities of financial institutions and establish clear guidelines for each ACH Network participant. Under the Nacha Rules, the warranty made by the ODFI that the payment is authorized does not further apply to the nature of the goods or services for which payment is being made.

Nacha’s enforcement role is intended to promote Rules compliance by financial institutions. It is distinct from the statutory authority exercised by regulators, law enforcement or courts. Nacha does not resolve commercial disputes between parties making and receiving payments.

The Nacha Rules permit a receiving bank to return an unauthorized ACH payment to the originating bank, typically within two banking days when an unauthorized payment posts to a business account. Although the incidence of unauthorized ACH payments is very low, Nacha recommends that businesses monitor account activity at least daily and consider using bank-offered services — such as debit blocks and positive pay — to help prevent unauthorized payments.

This response did not answer any of the seven questions submitted to Ms. Larimer. It identified no specific inaccuracy in the article. It did not mention the due and owing warranty. It did not address federal incorporation of Nacha’s rules. It did not acknowledge its CEO’s public characterization of Nacha as the network’s governor and enforcement authority. And it offered a remedy — the debit block — that the MCA agreement converts into a contractual default event.

What follows is a precise examination of each claim.

Claim 1: Nacha’s Role Is Rule-Writing and Education

Nacha’s role is to set and maintain the Operating Rules that support consistent and efficient ACH payment processing within an interbank payment system. Nacha also provides guidance and education to help participants understand their roles within the ACH Network. Nacha does not process any ACH payments and does not have access to information about individual payments.

What Nacha’s CEO Said Publicly — On The Record

Nacha’s description of its role conflicts with its own CEO’s public characterizations, made on the record, in documented interviews available to anyone with an internet connection.

In October 2024, on the Currency Research Podcast, Jane Larimer stated: “Nacha is the governor of the ACH network in the United States. That means we write the rules, the standards, we have risk functionality and also run the enforcement of the rules as well.”

In an earlier interview she stated: “I am responsible for the ACH network rules, the risk management and rules enforcement.”

Nacha’s response to this publication describes a rule-writing and education function. Ms. Larimer’s public statements describe governance, risk management, and enforcement — the operational vocabulary of a regulatory authority. The discrepancy between what Nacha told this publication and what its CEO says publicly is not a matter of emphasis. It is a difference in institutional identity. When a CEO publicly claims enforcement authority and the organization’s formal response describes only education and guidance, one of those characterizations is inaccurate — and both are on the record.

What Nacha Did Not Disclose: Federal Incorporation

Nacha’s response omitted a fact that materially changes the legal character of the role it described. Nacha’s rules are not merely a private trade association’s internal standards. They have been incorporated by reference into federal regulation through 31 C.F.R. Part 210, which governs federal government ACH transactions. The OCC, the FDIC, the Federal Reserve, and FinCEN have each incorporated Nacha’s framework into their examination guidance for financial institutions.

The federal government does not transcribe the rules of a rule-writing and education body into the Code of Federal Regulations as an operative compliance standard. Federal incorporation means that when a federal banking examiner assesses an ODFI’s ACH compliance, the standard applied is Nacha’s rules. The examiner does not assess whether Nacha’s rules are adequate. That question — the antecedent question — is never asked, because the federal examination framework has already accepted Nacha’s answer.

This is not an abstract legal point. It means that any gap in Nacha’s rules — any pattern of predatory origination that Nacha’s framework does not flag, any monitoring obligation it does not impose — is a gap in the federal regulatory standard. Nacha’s response described a modest institutional role. Federal incorporation assigns a substantially different one.

What Nacha Did Not Disclose: Its Own Active Participation in Federal Incorporation

Nacha did not accept federal incorporation passively. It participated in the rulemaking processes through which its rules were incorporated into federal regulation. It submitted comments. It engaged with the agencies. It supported the outcome. An organization that participates in federal rulemaking processes to support incorporation of its rules into federal regulation is not a passive beneficiary of someone else’s decision. It is an active participant in the construction of the regulatory framework.

Nacha cannot accept the authority that federal incorporation confers and simultaneously disclaim the accountability that authority demands. If Nacha’s rules are the standard by which federal examiners assess ODFI compliance, then Nacha’s adequacy as a rule-writer is a federal regulatory question — and Nacha’s response to this publication, which described only guidance and education, did not account for that.

The “Incorrect Assertions” Claim

Nacha’s response states: “Please note, however, that there are a number of incorrect assertions and conclusions in your draft.” It identified none of them specifically. This is a standard litigation-adjacent hedge — putting the word “incorrect” on the record without bearing the burden of identifying what is wrong and why. It is the institutional equivalent of saying “I disagree” without saying with what.

This article invited Nacha to identify specific inaccuracies. The offer remains open. If Nacha identifies a specific factual error in any published claim, this publication will issue a correction, attribute the correction to Nacha, and publish Nacha’s explanation of the error in full. That commitment is unconditional. But the word “incorrect,” standing alone and unspecified, is not a rebuttal. It is a placeholder for one.

What Claim 1 Did and Did Not Address

Question 1 asked whether Nacha’s network compliance function identified the fixed-payment MCA origination pattern during the period the NYAG documented over $1 billion in collections through the ACH network. Nacha’s response did not address this. It stated that Nacha “does not have access to information about individual payments.” But Question 1 did not ask about individual payments. It asked about origination patterns — the kind of systemic monitoring that Nacha’s own CEO described as “risk functionality.”

Question 3 asked whether a $26.8 million trade association with 77 employees has the institutional capacity to serve as the enforcement authority for an $86.2 trillion network. Nacha’s response did not address this.

Question 4 asked whether Nacha believes it has obligations commensurate with federal incorporation of its rules. Nacha’s response did not mention federal incorporation at all.

Claim 2: The Authorization Warranty and the Goods and Services Carveout

The Nacha Operating Rules are the foundation for every ACH payment. The Rules define the roles and responsibilities of financial institutions and establish clear guidelines for each ACH Network participant. Under the Nacha Rules, the warranty made by the ODFI that the payment is authorized does not further apply to the nature of the goods or services for which payment is being made.

This is the most carefully constructed paragraph in Nacha’s response. It contains a partial truth deployed to avoid a complete answer. The sentence about the goods and services carveout answers a question the article did not ask — and in doing so, draws attention away from the warranty provision the article did ask about, which Nacha’s response did not mention at all.

Level One: Nacha Quoted One Warranty and Omitted the Other

Nacha Operating Rule § 2.4.1 contains multiple distinct and independent ODFI warranty obligations. Nacha’s response addressed the authorization warranty and its goods and services carveout under § 2.4.3. This carveout is real: Nacha’s rules do not require the ODFI to adjudicate commercial disputes about the nature of the underlying goods or services.

But that is not the warranty the article raised.

§ 2.4.1.6 — the due and owing warranty — was not mentioned in Nacha’s response. Not once. This is the warranty that requires the ODFI to warrant that the specific dollar amount debited in each ACH entry is actually due and owing from the receiver to the originator. “Due and owing” is not a single condition. It is a chain of independent requirements, each of which must be satisfied, and each of which fails independently in the predatory MCA context.

First: the arithmetic. Was the amount debited the amount actually calculated under the agreement’s operative formula? In the fixed-payment MCA, the answer is no. The Specified Percentage was never applied to actual receivables. The “good faith approximation” was never reconciled. The fixed amount collected bears no demonstrated relationship to what the formula would produce. The NYAG established this across 87,180 agreements with zero reconciliation refunds. The amount is not “owing” under the agreement’s own terms because the formula that determines what is owing was never applied.

Second: the legal validity of the underlying obligation. “Due and owing” implies not just that a number was calculated, but that the obligation to pay that number is legally enforceable. A usurious loan is void or voidable in virtually every U.S. jurisdiction. Every state imposes some form of usury ceiling — civil, criminal, or both. New York’s criminal usury ceiling is 25% per annum. But this is not a New York-specific argument. The effective annual interest rates the NYAG documented — regularly in the triple digits, reaching 820% — exceed the usury ceiling in every state that has one. No U.S. jurisdiction treats an 820% annual interest rate as a legally enforceable lending obligation. No U.S. jurisdiction treats a 250% annual interest rate as one. The question of which state’s law applies to a particular transaction affects the precise ceiling. It does not affect the conclusion. An obligation carrying an effective interest rate of several hundred percent per annum is unenforceable as a matter of lending law in every state, regardless of whether that state’s statute calls it “criminal usury,” “civil usury,” or “unconscionable lending.” If the transaction is a loan — and the NYAG petition established through the respondents’ own admissions that it is — then the obligation under which these amounts are collected is void or unenforceable. An amount calculated under a void obligation cannot be “due and owing.” The ODFI is warranting that a legally unenforceable amount is owed.

Third: the payee’s legal entitlement to receive payment. Even if the arithmetic were correct and the obligation were legally valid, the party seeking payment must be legally authorized to be paid. This is the principle that operates in OFAC sanctions — the contract may be valid, the calculation may be correct, but the payment itself is impermissible because the payee is not legally entitled to receive it. In the predatory MCA context, an entity collecting payments under what has been established as a criminal usury scheme is not legally entitled to receive those payments. The illegality attaches to the receipt of funds, not merely to the contractual obligation. An amount cannot be “due and owing” to a party that is not legally authorized to be paid.

Fourth: the warranty is a BSA/KYC warranty. The due and owing warranty does not say “an amount is owed.” It says a specific amount is due and owing from the receiver to the originator. That directional specificity — to the originator — is doing enormous work. To warrant that funds are owed to a particular party, the warranting institution necessarily represents that it has sufficient knowledge of that party to make the warranty meaningful. The ODFI cannot credibly warrant that money is due and owing to an entity it has not identified, has not vetted, and has not assessed for the legitimacy of the transactions it is conducting through the ODFI’s origination infrastructure. That is not an inference from the warranty language. That is what Know Your Customer requirements exist to establish — the identity, legitimacy, and risk profile of the parties a regulated institution does business with. The ODFI’s origination relationship with the MCA operator is a customer relationship subject to BSA’s Customer Due Diligence requirements. The due and owing warranty is the point in the ACH framework where that obligation becomes operative, because the warranty is the moment the ODFI puts its institutional credibility behind the statement that this originator is entitled to receive this payment from this receiver. An unconditional warranty of entitlement, made by a regulated institution to other regulated institutions that rely on it, carries with it a necessary representation that the warranting institution has performed the diligence its regulatory obligations require. The RDFI processes the debit because the ODFI warranted it was due and owing. That reliance is only reasonable if the warranty is backed by actual diligence on the party to whom the funds are warranted as owed. If the ODFI has not performed adequate KYC on the originator — if it does not know whether the originator is conducting a legitimate receivables purchase or a criminal usury operation — then the warranty is hollow, and every institution in the chain that relied on it was relying on a representation the ODFI did not have the information to make.

Fifth: the warranty blankets the entire chain. The ODFI does not warrant one of these conditions. It warrants all of them — unconditionally, for every entry it originates. The warranty under § 2.4.1.6 runs through the chain from originator to Third-Party Sender to ODFI to the network. It is not qualified by “to the best of the ODFI’s knowledge” or “based on the originator’s representations.” It is an unconditional warranty that the amount is due and owing. If any prong fails — wrong arithmetic, void obligation, impermissible payee, inadequate diligence on the originator’s identity and legitimacy — the warranty is breached.

Nacha’s response answered a question the article did not ask — whether the goods and services carveout applies — and left unanswered the question the article did ask: how does the ODFI satisfy its due and owing warranty across all five of these conditions when the authorization is made “pursuant to” an agreement whose operative formula was never applied, whose underlying obligation may be void, whose originator may not be legally entitled to receive the funds, and whose originator’s legitimacy the ODFI may never have assessed with the diligence its own regulatory obligations require?

Level Two: Even the Authorization Warranty Nacha Did Address Fails on the Face of the Documents

Nacha’s response implied that the authorization warranty was satisfied — that the ODFI had a valid authorization for the ACH entries in question. The authorization form in a typical predatory MCA transaction tells a different story.

A representative ACH Authorization Form — the kind appended to a standard MCA Future Receivables Purchase and Sale Agreement — contains language substantially similar to the following:

“Pursuant to that certain FUTURE RECEIVABLES PURCHASE AND SALE AGREEMENT dated [date] between Purchaser and Seller (the ‘Agreement’), Seller hereby authorizes Purchaser to initiate ACH debit entries to Seller’s account… in an amount of up to [dollar amount]…”

Two phrases in that sentence are dispositive and inseparable.

“Pursuant to.” The authorization is not freestanding. It is expressly conditioned on and bounded by the Agreement it references. The Agreement defines what is owed. The authorization permits collection of what the Agreement says is owed — not more, not less, and not something different.

“Up to.” The authorization does not authorize a fixed amount. It authorizes debits up to a ceiling. “Up to” is a cap, not a floor. It means the actual amount debited must be determined by something else — and the only “something else” is the operative payment formula in the Agreement the authorization is made pursuant to.

The analogy: if someone hands you one page of a twelve-page contract that says you owe $1 million, without the other eleven pages that explain that you owe $1 million only if your revenue exceeded $10 million, the one page does not establish what is owed. It establishes a framework for determining what is owed. The authorization form in a predatory MCA transaction functions identically.

Level Three: What the Agreement — Incorporated by Reference — Establishes as Actually Due

The Agreement the authorization is made “pursuant to” defines the operative payment obligation through a specified percentage formula. In a representative MCA agreement, the initial remittance amount is described as “a good faith approximation of the Specified Percentage of Seller’s Future Receivables.”

An approximation is not a determined amount. It is not a fixed entitlement. It is — by the Agreement’s own operative definition — a preliminary estimate that the Agreement’s formula is designed to correct through the reconciliation mechanism. The amount actually due under the Agreement is the Specified Percentage of actual receivables, calculated and reconciled.

The NYAG’s investigation documented what happens in practice. The Yellowstone network entered into approximately 87,180 MCA agreements before January 2020. Across all 87,180 agreements, the number of reconciliation refunds issued was zero. The Specified Percentage formula existed in every contract. It was never applied. The “good faith approximation” was never reconciled. The fixed amount was collected without reference to actual revenue — which means the authorization form’s “pursuant to” language pointed to a formula that was never calculated, making the specific dollar amount collected in each ACH entry unsupported by the operative payment mechanism the authorization incorporated.

Level Four: The Incorporation Clause — and Its Asymmetry

MCA agreements typically contain an incorporation provision requiring the merchant to acknowledge that ACH entries must comply with applicable ACH rules, including the Nacha Operating Rules. This provision binds the merchant to Nacha’s rules. Two observations follow.

First, the provision does not limit the originator’s obligations or the ODFI’s obligations. It cannot. The ODFI’s warranty obligations arise independently under Nacha’s Operating Rules by virtue of the ODFI’s participation in the ACH network. The originator is independently bound as a Nacha Originator by virtue of its ACH origination relationship with the ODFI. Those obligations exist regardless of what the MCA agreement says.

Second, and more significantly: the incorporation provision binds the merchant to Nacha’s rules in a transaction that the Agreement itself structures to violate those rules. The merchant is told to comply with the rules. The originator collects amounts that the Agreement’s own formula — if applied — would not support. The merchant is bound to the framework. The originator operates outside it. That asymmetry is the document’s most revealing feature.

The Authorization Warranty Failure Under § 2.3.1

Nacha Operating Rule § 2.3.1 requires that a valid authorization “comply with applicable Legal Requirements, be readily identifiable as an authorization, and have clear and readily understandable terms.” An authorization form whose operative amount is “up to” a ceiling “pursuant to” an Agreement that characterizes the initial amount as a “good faith approximation” subject to reconciliation — where no reconciliation has ever been performed across tens of thousands of agreements — does not establish a readily identifiable, clear, and readily understandable authorization for the specific fixed amount being debited.

Nacha’s response stated that the authorization warranty “does not further apply to the nature of the goods or services for which payment is being made.” That is accurate. It is also unresponsive. The question was never about the nature of the goods or services. The question was about the amount — and the amount, under the operative documents, was never a fixed number.

What Claim 2 Did and Did Not Address

Question 5 asked whether Nacha’s risk guidance addresses the specific pattern of identical ACH debits under variable-formula authorizations as a mandatory SAR assessment trigger. Nacha’s response did not address this.

Question 6 asked whether Nacha has a published position on the BSA standard applicable to ODFI origination of fixed-payment entries under variable-formula MCA authorizations. Nacha’s response did not address this.

Both questions asked about the amount — the gap between what the authorization formula produces and what is actually collected. Nacha’s response addressed the nature of the goods or services. These are different questions, and the answer to one is not responsive to the other.

The Compliance Trap This Creates for Every ODFI

The warranty failures documented above are not specific to one bank’s compliance department or one originator’s documentation practices. They are structural — embedded in the intersection of Nacha’s warranty framework and the fixed-payment MCA product. The compliance trap they create is binary, and both states are fatal.

State A — The ODFI did not review the agreement. If an ODFI onboarded a receivables purchase originator without reviewing the operative agreement — the instrument that defines what amounts are due and owing, and that the authorization form itself incorporates by reference with the words “pursuant to” — it violated its § 2.2.3 due diligence obligation before entry one. Every subsequent warranty was made without the foundational review that the Rules required. The ODFI cannot invoke the agreement’s terms to defend transmissions it made without ever reading those terms. In State A, every warranty is made in willful ignorance of facts the Rules required the ODFI to know.

State B — The ODFI reviewed the agreement. If the ODFI read the agreement, the “good faith approximation” language was visible at onboarding. The formula’s structural inoperability was visible at onboarding. The arithmetic producing a criminally usurious effective rate was computable at onboarding — from the numbers on page one, in approximately ninety seconds, using a calculation performed daily in every commercial bank’s lending division. In State B, every warranty is made with actual knowledge of every fact that makes it false.

There is no third state. An ODFI either read the agreement or it did not. Both states produce the same legal conclusion: the § 2.4.1.6 warranty was false on every entry, and the ODFI either knew it was false or deliberately avoided knowing.

Nacha wrote the rules that create this binary. Nacha’s § 2.4.1.6 requires the due and owing warranty. Nacha’s § 2.2.3 requires the pre-origination review that would reveal the warranty’s impossibility. Nacha’s § 2.3.1 requires that the authorization comply with applicable Legal Requirements — which include the usury laws the ninety-second calculation reveals are violated. The rules, applied as written, do not permit a compliant ODFI to originate a single entry for a fixed-payment receivables collection program. Not the second entry. Not the first.

Nacha’s response to this publication did not address the due and owing warranty. It did not address the compliance trap the Rules create. It did not explain how any ODFI — in either state — can make the warranty Nacha’s own rules require. The omission is not incidental. The question has no answer that preserves both the warranty framework and the product it warrants.

Claim 3: Nacha’s Enforcement Role Is “Distinct” from Statutory Authority

Nacha’s enforcement role is intended to promote Rules compliance by financial institutions. It is distinct from the statutory authority exercised by regulators, law enforcement or courts. Nacha does not resolve commercial disputes between parties making and receiving payments.

This is the most honest paragraph in Nacha’s response. It is also the most significant — because it confirms in Nacha’s own words the central argument of the companion article.

The Gap Between What Nacha’s CEO Said and What Nacha’s Response Says

Ms. Larimer said: “We run the enforcement of the rules.” Nacha’s response says enforcement is “intended to promote Rules compliance.” These are not two descriptions of the same function. Promoting compliance and running enforcement are different institutional commitments with different resource requirements, different procedural frameworks, and different outcomes for the parties affected. A police department that describes itself as “promoting public safety through community education” is describing a fundamentally different operation than one that says it “runs law enforcement.” Nacha’s CEO used the enforcement vocabulary. Nacha’s formal response retreated to the compliance vocabulary. Both cannot accurately describe the same function.

The Federal Incorporation Consequence

The statement that Nacha’s enforcement role “is distinct from the statutory authority exercised by regulators, law enforcement or courts” is accurate as a legal matter. Nacha is not a federal agency. But this statement, standing alone, omits the consequence that makes the distinction significant.

Federal banking examiners assess ODFI compliance against Nacha’s rules. The OCC, the FDIC, the Federal Reserve, and FinCEN have each incorporated Nacha’s framework into their examination standards. When Nacha says its enforcement role is “distinct” from statutory authority, it is describing a gap. And that gap has a specific consequence: the organization whose rules define the federal compliance standard has, by its own admission, an enforcement function that operates below the level of statutory authority. The rules have the force of federal regulation. The enforcement of those rules does not.

This means that any ODFI violation of Nacha’s rules that Nacha’s own enforcement function declines to pursue — or lacks the capacity to pursue — remains a violation of the standard against which federal examiners assess compliance, but without the enforcement mechanism the rules’ federal incorporation would suggest exists. The merchant whose account is debited in violation of Nacha’s rules cannot trigger the enforcement function — that right belongs exclusively to Nacha’s member financial institutions — and the federal examination framework assesses ODFI compliance against rules whose own enforcement authority describes its role as “promoting compliance.”

Nacha’s response confirms that its enforcement authority is categorically distinct from statutory authority, that it cannot compel the outcome of a dispute, and that a merchant subjected to unauthorized ACH collections has no path to the enforcement mechanism that governs the very network those collections traverse.

The Merchant Has No Path — Confirmed

“Nacha does not resolve commercial disputes between parties making and receiving payments.”

This sentence, read alongside the documented eleven-minute complaint response described in the companion article, confirms a closed loop with no exit for the merchant:

• The merchant cannot file a complaint with Nacha directly — confirmed by Nacha’s eleven-minute response directing the complainant to the financial institution whose conduct the complaint documented.

• The RDFI can file permissively on the merchant’s behalf — but is not required to do so.

• If the RDFI files, the ODFI can condition return on originator permission — documented in a specific case in writing.

• Nacha does not resolve the resulting dispute — confirmed by Nacha’s response in this publication.

• No party with authority to compel a return is required to act on the merchant’s behalf within a timeline that preserves the merchant’s operating capacity.

Nacha’s response confirmed this chain. It did not explain what the merchant is supposed to do instead. That question — the seventh question submitted to Ms. Larimer — was not answered.

What Claim 3 Did and Did Not Address

Question 2 asked whether Nacha’s eleven-minute complaint response is consistent with Ms. Larimer’s characterization of Nacha as the enforcement authority, and what remedy exists for a merchant whose RDFI declines to file on their behalf. Nacha’s response stated that it “does not resolve commercial disputes between parties making and receiving payments.” This partially addresses the question — it confirms there is no remedy within Nacha’s framework — but it does not address the consistency question or the eleven-minute response time.

Question 7 asked whether Nacha is considering structural reform to give merchants direct access to the enforcement framework. Nacha’s response did not address this.

What Fixed Payments Tell the ODFI — and What the Rules Require It to Do

Nacha’s response described its enforcement role as promoting compliance. It did not describe what compliance would actually look like if promoted — because what compliance looks like, applied to fixed-payment MCA, is the termination of the product.

The analytical chain begins with a factual observation any ODFI’s monitoring system can produce. Nacha’s § 2.2.3 requires ODFIs to monitor origination patterns across multiple settlement dates. The BSA/AML monitoring standards incorporated into federal examination guidance require ODFIs to identify transaction patterns inconsistent with the stated business purpose. When an ODFI monitors a receivables purchase program and observes that every collection is identical — to the penny, on every settlement date, across weeks or months — the pattern is inconsistent with the stated purpose. A receivables purchase collects a percentage of actual receivables. Actual receivables fluctuate with business activity. Payments that never vary are not a percentage of anything that varies. They are fixed.

That observation is not the end of the analysis. It is the beginning — because a fixed payment under a variable-formula agreement does not merely suggest that the formula is not being applied. It reclassifies the product.

The entire legal distinction between a receivables purchase and a loan depends on three structural features: variable payments tied to actual receivables, no fixed maturity date, and no absolute right of repayment. Courts have consistently identified these as the hallmarks that distinguish a true receivables purchase from a disguised loan. When the payments are fixed, the first hallmark is absent. When the agreement specifies a purchased amount to be repaid in full, the third hallmark is absent. The product is not a receivables purchase. It is a loan.

That reclassification triggers an independent obligation that exists in the current rules — not a proposed standard, not an aspirational recommendation, but an obligation the ODFI is required to perform right now. Nacha § 2.3.1 requires that an authorization “comply with applicable Legal Requirements.” The BSA/CDD framework requires the ODFI to understand the nature of the customer’s business and assess whether its activities are lawful in the jurisdictions where it operates. Once the payment pattern reveals that the product is a loan, the ODFI has an existing obligation to determine whether it is a lawful loan before continuing to serve as its collection mechanism.

The determination requires approximately ninety seconds. The numbers are on the face of page one of every standard MCA agreement: purchase price paid, purchased amount to be collected, collection amount per period, collection frequency. The XIRR calculation — the same calculation performed daily in every commercial bank’s lending division — produces the effective annualized rate. In cases documented in public filings, these rates have reached into the thousands of percent. In the NYAG Yellowstone enforcement action, the documented rates exceeded 500%. These rates do not approach criminal usury thresholds. They exceed them by multiples.

An ODFI that identifies the product as a loan and computes the rate has reached the end of the analysis: the loan is unlawful. The authorization is invalid under applicable Legal Requirements. The amount cannot be due and owing because the obligation is void. Origination must stop — not because a new rule requires it, but because the existing rules, applied as written, compel that conclusion.

Nacha’s rules already contain every obligation necessary to identify and halt fixed-payment MCA collection through the ACH network. The § 2.2.3 monitoring obligation identifies the fixed-payment pattern. The pattern reclassifies the product as a loan. The reclassification triggers the § 2.3.1 legal requirements assessment and the BSA/CDD obligation to assess legality. The assessment reveals the criminal rate. The rate makes the § 2.4.1.6 warranty impossible. No new rule is required. No regulatory amendment. No legislative action. The rules Nacha wrote — the rules whose enforcement Nacha’s CEO described as her responsibility — produce this conclusion when applied as written. The eleven-minute response to this publication’s complaint was not a failure of rule design. It was a failure of rule application by the organization that describes itself as responsible for both.

Claim 4: The Two-Banking-Day Return Right and the Debit Block Recommendation

The Nacha Rules permit a receiving bank to return an unauthorized ACH payment to the originating bank, typically within two banking days when an unauthorized payment posts to a business account. Although the incidence of unauthorized ACH payments is very low, Nacha recommends that businesses monitor account activity at least daily and consider using bank-offered services — such as debit blocks and positive pay — to help prevent unauthorized payments.

This paragraph contains two distinct problems — one of legal accuracy and one of fundamental framing — that together reveal how Nacha’s rules function in practice to protect the extraction mechanism rather than the merchant.

The Legal Accuracy Problem: A Permissive Right Presented as a Merchant Remedy

The two-banking-day return window Nacha described does exist for business accounts — return reason code R29 (Corporate Customer Advises Not Authorized) is available for CCD entries. Nacha’s statement is technically accurate. What makes it misleading is what the statement omits about how that right operates in practice and what other return mechanisms exist that Nacha chose not to mention.

First, the two-banking-day right belongs to the RDFI, not the merchant. The merchant cannot invoke it directly. The merchant must convince their bank to act — within two banking days of settlement — on a debit that may appear routine, that posts alongside dozens of other business transactions, and that the merchant may not recognize as unauthorized until well after the window closes. Two banking days is not a remedy for a merchant subjected to a pattern of fixed extractions engineered to look like normal recurring debits.

Second, the right is permissive, not mandatory. The RDFI may return the entry. It is not required to. There is no obligation within Nacha’s framework that compels the RDFI to act on the merchant’s behalf, regardless of the evidence the merchant presents.

Third, and most significantly, Nacha’s response did not mention the proof-of-authorization mechanism — the return path that actually governs how these disputes play out in practice. Under the Nacha rules, the RDFI can submit a Written Statement of Unauthorized Debit requesting the ODFI to produce proof that the entry was authorized. The ODFI has ten banking days to respond. This is the mechanism the companion article documented — and the documented result was the ODFI responding that it was waiting for “permission to return” from the originator. The entity that collected the money was given veto power over the only realistic return mechanism available.

Nacha described the two-banking-day return right — the shortest window, the least accessible to the merchant, the one most likely to have expired before the merchant even identifies the problem. It did not describe the proof-of-authorization mechanism — the return path with a longer timeline, the one the merchant is more likely to actually use, and the one that the documented evidence shows the ODFI subordinated to originator permission. Whether this was an error or a deliberate choice of emphasis, the effect is the same: Nacha presented the least useful remedy and omitted the more relevant one whose documented outcome confirms the structural argument of the companion article.

The Framing Problem: Putting the Burden on the Merchant for a Trap the Agreement Creates

Nacha’s recommendation that businesses “consider using bank-offered services such as debit blocks and positive pay to help prevent unauthorized payments” transfers the burden of protection to the merchant. In isolation, this is reasonable advice. In context, it is advice to walk into a trap.

The MCA agreement was specifically engineered to make every available merchant protection a contractual default event:

• The merchant who instructs their bank to block the debit — the debit block Nacha recommends — has committed a contractual default under the agreement’s terms, typically triggering acceleration of the full purchased amount plus fees and penalties.

• The merchant who moves funds to protect cash flow has committed a default.

• The merchant whose account has insufficient funds — because the fixed extractions depleted it — has committed a default.

• In states that permitted confessions of judgment during the relevant period, a single missed payment could produce a court judgment freezing personal bank accounts without notice or hearing — sometimes within days.

Nacha’s rules were specifically structured to make the MCA agreement’s ACH authorization mechanism effective and irresistible. The ODFI warrants authorization. The RDFI processes the debit. The merchant’s only recourse within the framework — the debit block — triggers the agreement’s default provisions. Every exit is an entrance to something worse.

Nacha recommended a debit block to a merchant whose agreement converted a debit block into a defaulting event. That recommendation, offered without acknowledging the contractual consequence it triggers, is not a remedy. It is evidence that Nacha’s framework does not account for the reality of the transactions it governs.

What Claim 4 Did and Did Not Address

Question 5 asked about the specific ACH origination pattern — fixed identical debits under variable-formula authorizations — and whether Nacha’s risk guidance addresses it as a mandatory SAR assessment trigger. Nacha’s response described the return mechanism instead. These are different topics: one asks what happens after the unauthorized debit posts; the other asks whether the origination pattern should be flagged before it posts.

Question 6 asked about the BSA standard applicable to ODFI origination of this pattern. Nacha’s response did not address BSA obligations at all.

THE SEVEN QUESTIONS: WHAT WAS ASKED, WHAT WAS ANSWERED

The following maps each of the seven questions submitted to CEO Jane Larimer against what Nacha’s response actually addressed. This is not an argument. It is an accounting.

Question 1 asked whether Nacha’s network compliance function identified the fixed-payment MCA origination pattern during the period the NYAG documented over $1 billion in Yellowstone collections through the ACH network — and if not, why not; if yes, what enforcement action was taken.

Nacha’s response: Did not address. Nacha stated it “does not have access to information about individual payments.” The question asked about origination patterns, not individual payments.

Question 2 asked whether Nacha’s eleven-minute complaint response — directing the complainant back to the financial institution whose conduct the complaint documented — is consistent with Nacha’s characterization as the enforcement authority for the ACH network, and what remedy exists for a merchant whose RDFI declines to file on their behalf.

Nacha’s response: Partially addressed. Nacha confirmed it “does not resolve commercial disputes between parties making and receiving payments,” which implicitly answers the remedy question (there is none within Nacha’s framework). It did not address the eleven-minute response time or the consistency with Ms. Larimer’s public characterization.

Question 3 asked whether a $26.8 million trade association with 77 employees has the institutional capacity to serve as the enforcement authority for an $86.2 trillion network, and what specific enforcement infrastructure — not rules, not guidance, but staffed enforcement capacity — Nacha maintains to monitor ODFI origination patterns.

Nacha’s response: Did not address.

Question 4 asked whether Nacha believes it has obligations commensurate with federal incorporation of its rules into 31 C.F.R. Part 210 and federal examination guidance, including an obligation to maintain enforcement mechanisms accessible to merchants.

Nacha’s response: Did not address. Federal incorporation was not mentioned.

Question 5 asked whether Nacha’s risk guidance addresses the specific pattern of recurring identical ACH entries under a variable-percentage-of-receivables authorization as a potential SAR assessment trigger, and whether Nacha has taken enforcement action against any ODFI for failing to flag this pattern.

Nacha’s response: Did not address. Nacha described the two-banking-day return mechanism, which is a post-entry remedy, not an origination-pattern monitoring standard.

Question 6 asked whether Nacha has a published position on the BSA standard applicable to ODFI origination of fixed-payment entries under variable-formula MCA authorizations — specifically whether a pattern of recurring identical entries should constitute a SAR assessment trigger.

Nacha’s response: Did not address. The Bank Secrecy Act was not mentioned.

Question 7 asked whether Nacha is considering structural reform to give merchants direct access to the enforcement framework, given that 18,000+ small businesses had no membership, no vote, no complaint access, and no federal statutory protection under EFTA (which excludes business accounts).

Nacha’s response: Did not address. Structural reform was not mentioned. The EFTA exclusion was not mentioned. Merchant access to enforcement was not mentioned.

Summary: Of seven questions, zero received a direct answer. One (Question 2) received a partial, implicit response. Six received no response at all. Four of the seven questions asked about specific facts, mechanisms, or positions that Nacha could have confirmed or denied. Nacha chose to address none of them, instead offering four paragraphs that describe Nacha’s general role, cite a warranty carveout the article did not rely on, confirm an enforcement gap the article identified, and recommend a remedy the MCA agreement converts into a default event.

THE EVIDENCE IN THE PUBLIC RECORD — AND WHAT IT DEMANDS

The analysis above addresses what Nacha said and didn’t say. What follows addresses what the public record now requires of every ODFI in Nacha’s network — and what Nacha, as the organization whose rules define the compliance standard, is obligated to do about it.

What the NYAG Established

On March 5, 2024, the New York Attorney General filed a Verified Petition against the Yellowstone Capital network — the largest state enforcement action against predatory MCA in history, resulting in a $1.065 billion judgment. The petition is 289 pages. It is public. Its findings are supported by sworn testimony, internal communications, and transactional data. Here is what it established, in the respondents’ own words:

The transactions were loans. The petition documented that respondents’ own personnel repeatedly referred to MCAs as “loans” and to themselves as “lenders” — in internal communications, in communications with merchants, and in sworn testimony. Multiple insiders acknowledged that the product was structured to avoid usury classification while functioning as a fixed-payment, short-term, ultra-high-interest loan.

The reconciliation mechanism was a sham. David Glass, a respondent, stated to a funder: “The merchants[’] right to a reconciliation is what makes ou[r] product not a loan. If the merchant’s right to reconciliation is a sham then the product is a loan.” Isaac Stern responded: “The only reasons MCA’s are not a loan is because we purchase a percentage of their sales and every month they have the ability to review if we possibly overcollected that percentage and receive a refund.”

Zero reconciliation refunds across 87,180 agreements. Out of approximately 87,180 MCA agreements entered before January 2020, the Yellowstone network never issued a single refund to a merchant as the result of reconciliation. The contractual right that distinguished these transactions from loans was never exercised — not once, across tens of thousands of agreements.

The Specified Percentages were deliberately inflated to prevent reconciliation. Bart Maczuga, a respondent and CEO of the successor entity, explained: “[E]veryone was making [the Specified Percentage] higher than they should to protect themselves, thus making it a sham to begin with.” Internal communications confirmed that legal departments changed contracts to reflect higher percentages specifically to ensure reconciliation would never produce a refund.

The scale. 115,468 MCA transactions. An estimated $4.5 billion collected from merchants. An estimated $1.38 billion in interest. Effective annual interest rates regularly in the triple digits, reaching as high as 820% — rates that exceed the usury ceiling, civil or criminal, of every U.S. jurisdiction that has one.

Every dollar moved through the ACH network. Every one of those 115,468 transactions was originated by an ODFI that placed its unconditional warranty behind each entry. Every fixed daily or weekly debit was processed through Nacha’s rules. Every collection was made possible by a bank that warranted it was authorized and due.

From Fixed Payments to Criminal Usury — The Analytical Steps

The connection between fixed-payment ACH debits and criminal usury is not an inference. It is a chain of established legal and factual steps, each of which is independently documented.

Step one: fixed payments make the transaction a loan. The only legal distinction between a merchant cash advance and a loan is the variable-payment structure. Courts have held consistently that a genuine purchase of future receivables — where payments fluctuate with actual business revenue, where there is no fixed maturity date, and where the funder bears the risk that the merchant earns nothing — is not a loan and is therefore not subject to usury statutes. Remove the variable feature, and the distinction collapses. When payments are fixed — identical amounts, identical frequency, regardless of actual revenue — the transaction has a fixed repayment obligation and a determinable maturity. That is a loan. The NYAG’s petition documented that the respondents’ own insiders knew this. Glass said it explicitly: if reconciliation is a sham, the product is a loan. Stern said it: the only reason MCAs are not a loan is because “we purchase a percentage of their sales.” When the percentage is never calculated and reconciliation never occurs, the reason MCAs are not loans disappears — by the insiders’ own analysis.

Step two: the interest rates are calculable from the face of the agreements. Once a fixed-payment MCA is classified as a loan, the effective interest rate is arithmetic. The funder advances a known amount. The merchant repays a larger known amount (the purchased amount) in fixed installments over a determinable period. The difference between the advance and the total repayment, annualized over the repayment period, is the effective annual interest rate. The NYAG calculated these rates across the Yellowstone network’s portfolio. They were regularly in the triple digits. They reached as high as 820%.

Step three: those rates constitute usury in virtually every U.S. jurisdiction. This is not a New York-specific conclusion. New York’s criminal usury ceiling is 25% per annum under Penal Law § 190.40. Its civil usury ceiling is 16%. But the rates the NYAG documented — 250%, 400%, 820% — are not borderline cases that turn on which state’s law applies. They exceed the usury ceiling in every state that has one. They exceed the criminal usury threshold in every state that has a criminal usury statute. Even in states with higher ceilings or broader exemptions for commercial transactions, no jurisdiction contemplates — much less permits — annual interest rates of several hundred percent on what are functionally short-term business loans. The choice-of-law question affects which statute applies. It does not affect whether these rates are lawful. They are not — anywhere.

Step four: the ACH pattern is the collection mechanism for that criminal conduct. Every fixed daily or weekly ACH debit in these transactions is a collection event on a criminal-usury-rate loan. The ACH entry is not incidental to the usury. It is the usury’s execution mechanism — the means by which the criminal interest rate is converted from a contractual term into actual money extracted from the merchant’s operating account. The bank that originates that entry is not a bystander. It is the institution whose charter, whose access to the Federal Reserve’s payment system, and whose unconditional warranty make the extraction possible.

This is the chain: fixed payments make it a loan; the rates make it criminal usury; the ACH entry is the collection mechanism; and the ODFI’s warranty is the institutional seal that moves it through the banking system. Each step is documented. Each step is calculable. And after the NYAG’s petition, each step is a matter of public record.

What the BSA Requires — and Why Banks Cannot Look Away

The Bank Secrecy Act, 31 U.S.C. § 5318(g), requires financial institutions to file Suspicious Activity Reports when they “know, suspect, or have reason to suspect” that a transaction involves funds derived from illegal activity. The operative standard is the third prong: “reason to suspect.” This is not a probable cause standard. It is not an actual knowledge standard. It is a standard that asks whether a reasonable compliance officer, given the available information, should have flagged the activity for review.

31 U.S.C. § 5318(h) separately requires every bank to maintain an anti-money laundering program with “internal policies, procedures, and controls” reasonably designed to detect suspicious activity. FinCEN has been explicit: these programs must be risk-based and must account for known typologies. When an enforcement action publicly identifies a transaction pattern as indicative of criminal conduct, that pattern becomes a known typology.

The NYAG established that fixed-payment MCA transactions signal criminal usury. What the NYAG did not do — and what no regulator, no enforcement agency, and no industry body has done — is name the specific ACH origination trigger that would identify this pattern before it causes harm. This article does.

The trigger is identical-amount ACH debits to a business account, same originator, recurring daily or weekly, under an authorization referencing a variable-percentage-of-receivables formula. Whether the threshold is three consecutive entries, five, or seven is a calibration question — not a conceptual one. The pattern is distinctive because there are almost no legitimate business transactions that produce it. Payroll varies with hours worked. Lease payments don’t post daily. Subscription services don’t debit thousands of dollars three times a week. When a business account shows identical high-frequency debits under an authorization whose stated formula requires variable amounts tied to actual revenue, that pattern is categorically inconsistent with the authorization’s own terms. It is visible on the face of any bank statement. It requires no investigation to identify — only arithmetic. Any basic rule-based transaction monitoring system can flag it. The question is not whether banks can detect this pattern. The question is whether, given what is now publicly known about what this pattern represents, they can justify not looking.

These obligations are not separate from the ODFI’s warranty obligations under Nacha’s rules. They are the same obligation, viewed from two regulatory angles. As the due and owing analysis in Claim 2 establishes, the ODFI’s warranty that each entry is due and owing to the originator is itself a representation that the ODFI has performed the diligence necessary to warrant entitlement — which is the substance of what BSA’s KYC and Customer Due Diligence requirements demand. The warranty and the BSA obligation converge at the same point: the ODFI must know enough about its originator to credibly represent that the funds being collected are legitimately owed to that originator. An ODFI that has not performed adequate KYC on an MCA originator cannot satisfy its due and owing warranty, and an ODFI that warrants amounts as due and owing without adequate KYC has made an unconditional representation it did not have the diligence to support.

Before the NYAG’s action, a bank could plausibly argue: “We process millions of ACH transactions. We cannot investigate the business purpose behind every recurring debit. The originator warranted authorization. We relied on Nacha’s rules.” That argument had weight when the bank had no specific reason to suspect the pattern represented criminal conduct.

After the NYAG’s action, that argument fails. The NYAG established — through a concluded investigation, with sworn testimony and transactional data — that fixed-payment MCA debits have been systematically used to collect criminal-usury-rate loans disguised as receivables purchases. That finding is public. It is in the record. It is supported by the respondents’ own admissions.

A bank that originates fixed-payment MCA entries after March 2024 has constructive knowledge that the pattern has been proven to signal criminal lending. The “reason to suspect” standard under § 5318(g) is triggered not by knowledge that this particular originator is engaged in usury, but by knowledge that this pattern has been publicly proven to be associated with criminal conduct. That is the definition of a known typology.

The consequences of failing to act on known typologies are not administrative. Federal prosecutors have brought criminal cases against financial institutions for systematic BSA monitoring failures. TD Bank, Rabobank, and USAA FSB each demonstrate that when the pattern is sustained and the volume is significant, the government treats monitoring failures as criminal matters under 31 U.S.C. § 5322. The predatory MCA origination pattern is more mechanically visible than most SAR triggers. It requires only arithmetic to identify.

“We Are Just Banks Processing Payments” — Why That Defense Does Not Exist

This is where the argument will be made. Every ODFI confronted with the analysis above will reach for the same defense: We are banks. We process payments. We cannot investigate the business purpose behind every ACH entry. We relied on the originator’s representations. We relied on Nacha’s rules. We are intermediaries, not participants.

That defense does not exist under the legal framework that governs these institutions. It must be stated plainly why, because the banks will say it anyway, and it must be clear — to regulators, to examiners, to prosecutors, and to the banks themselves — that the law has already answered this argument and the answer is no.

First: the BSA does not permit willful blindness. The “reason to suspect” standard under § 5318(g) was designed precisely to foreclose the argument that a bank can avoid its obligations by not looking. The statute does not require actual knowledge of criminal activity. It does not require suspicion. It requires “reason to suspect” — and a bank that processes a pattern publicly proven to represent criminal conduct has reason to suspect, whether or not it chose to look. The BSA’s entire architecture is built on the premise that financial institutions are gatekeepers, not passive conduits. A bank that says “we are just processing payments” is describing the one thing the BSA says banks are not permitted to be.

Second: systemic monitoring failures are criminal conduct. This is not a theoretical proposition. It is the holding of multiple federal enforcement actions. TD Bank paid $1.3 billion in penalties and its BSA compliance officer faced personal criminal charges — not because TD Bank knowingly laundered money, but because it failed to maintain transaction monitoring systems adequate to detect suspicious patterns flowing through its accounts. The government’s theory was not that TD Bank participated in crime. It was that TD Bank’s failure to monitor constituted a criminal violation of 31 U.S.C. § 5322. Rabobank pleaded guilty to conspiracy to obstruct an examination of its BSA compliance program and was fined $369 million. USAA FSB was fined $140 million for willful failures in its AML program. In each case, the bank’s defense was some version of “we didn’t know.” In each case, the government’s response was that not knowing — when the institution had the obligation to know and the means to know — was itself the crime.

Third: not knowing is worse than knowing when the institution was obligated to know. A bank that knowingly facilitates criminal activity is a bad actor. A bank that fails to build the systems, hire the staff, and implement the controls necessary to detect criminal activity flowing through its infrastructure is something different — it is an institution that has made a systemic decision not to perform the obligations that justify its charter, its access to the federal payments system, and its ability to make unconditional warranties on behalf of its origination clients. The knowing participant chose to break the law. The systemically negligent institution chose not to build the infrastructure necessary to follow it. Federal prosecutors have treated the latter as equal to or worse than the former, because systemic failures affect every transaction the institution processes, not just the ones involving bad actors. When a bank’s monitoring systems are inadequate, every criminal dollar that flows through the institution flows through undetected — not because the bank decided to let that particular dollar through, but because the bank decided not to build the system that would catch it.

Fourth: the ODFI is not an intermediary. It is a warrantor. This is the point that collapses the “just processing” defense entirely. An intermediary passes through a transaction without making representations about it. The ODFI does not pass through ACH entries. It warrants them. Under § 2.4.1.6, the ODFI warrants — unconditionally, on every entry, to every institution in the chain — that the amount is due and owing from the receiver to the originator. That warranty is not the act of an intermediary. It is the act of a principal. The moment the ODFI makes that warranty, it has assumed responsibility for the legitimacy of the entry. A party that makes unconditional representations about a transaction to other regulated institutions that rely on those representations cannot simultaneously claim to be “just processing payments.” You are either warranting or you are not. If you are warranting, you have accepted the obligation to know what you are warranting. If you have not performed the diligence necessary to know, you have made a representation you cannot support — and every institution that relied on your warranty was misled.

Fifth: “we relied on Nacha’s rules” is an admission, not a defense. The bank that says it relied on Nacha’s rules is saying that it relied on a framework that — as this article has documented — does not require the ODFI to flag the fixed-payment MCA pattern, does not require originator screening against concluded enforcement actions, and does not identify the most mechanically obvious predatory origination typology in the ACH network as a mandatory review trigger. Reliance on a framework that does not require adequate monitoring is not a defense to a charge that monitoring was inadequate. It is an explanation of why monitoring was inadequate. And the explanation — “we followed a framework that didn’t require us to look” — is precisely the systemic failure that federal prosecutors have treated as criminal conduct. The BSA does not say “monitor suspicious activity unless Nacha’s rules don’t require it.” It says monitor suspicious activity. The obligation is statutory. It does not yield to a trade association’s silence.

Sixth: “we didn’t intend to break the law” is not a defense when the law does not require intent — and even where it does, willful blindness satisfies it. The banks will say: even if we made mistakes, we did not act with criminal intent. This argument fails at two independent levels, and both must be stated clearly because the banks will assert this defense as though it were self-evident.

At the first level, the BSA does not require criminal intent. The willful failure standard under 31 U.S.C. § 5322 requires only that the institution acted willfully in failing to maintain adequate anti-money laundering controls or to file required SARs. Courts have consistently interpreted “willfully” in the BSA context to mean voluntary and intentional — not that the institution intended to facilitate crime, but that it intentionally chose not to build the systems, perform the monitoring, or file the reports the statute requires. An ODFI that made a deliberate institutional decision not to flag the fixed-payment MCA pattern — or that never built the monitoring capability to detect it — acted willfully in the only sense the statute requires. The absence of criminal intent to facilitate usury is irrelevant to the question of whether the bank willfully failed to monitor for it.

At the second level, for any statute that does require knowledge — including the mail and wire fraud predicates that underlie federal racketeering claims — willful blindness is legally equivalent to actual knowledge. The Supreme Court established this in Global-Tech Appliances, Inc. v. SEB S.A. (2011): a defendant who (1) subjectively believes there is a high probability that a fact is true, and (2) takes deliberate actions to avoid confirming that fact, is treated as having knowledge of that fact. The State A/State B compliance trap documented earlier in this article maps directly onto that standard. In State A, the ODFI deliberately avoided reviewing the agreement — the very document that would have revealed the warranty’s impossibility. In State B, the ODFI reviewed the agreement and had actual knowledge. There is no state in which the ODFI lacked both knowledge and the deliberate avoidance of knowledge. The compliance trap is not merely a Nacha rules problem. It is a willful blindness framework that satisfies the knowledge element of any federal statute that requires it.

The distinction between “we made mistakes” and “we chose not to look” is the distinction the law cares about. And the fixed-payment MCA pattern — visible on the face of any bank statement, computable in ninety seconds, and now documented as criminal conduct in a public enforcement record — is not the kind of thing an institution fails to see by accident. It is the kind of thing an institution fails to see because it has decided, at an institutional level, that seeing it would be inconvenient.

The final retreat will be: we were not willfully blind — we were merely negligent. We did not choose not to look. We looked, and we did a bad job. This argument does not help the bank that makes it. It destroys the bank that makes it. Under the BSA, the crime is not facilitating usury. The crime is failing to maintain adequate systems to detect suspicious activity. 31 U.S.C. § 5322 criminalizes willful failure to comply with the monitoring, reporting, and program-maintenance obligations of § 5318. A bank that says “our monitoring systems were inadequate” is not offering a defense to that charge. It is entering a confession. The BSA does not ask why your systems failed. It asks whether you maintained systems adequate to detect what you were obligated to detect. “We did a bad job” means the systems were inadequate. That is the violation — not a defense to it.

And the “bad job” characterization does not survive contact with the pattern itself. This is not a sophisticated fraud requiring forensic accounting to uncover. It is identical dollar amounts, same originator, same frequency, posting to a business account, day after day, or week after week, under an authorization whose stated formula requires variable amounts. Every ODFI in the country has transaction monitoring systems. Every one of those systems can be configured to flag identical recurring debits from a single originator. If the system was not configured to flag this pattern, that is not a bad job. That is a design choice — a decision about what the system would and would not look for.

And after March 2024, when a concluded state enforcement action established that this specific pattern represents criminal usury across 115,468 transactions, an ODFI that still has not configured its monitoring to flag it has not done a bad job. It has made a choice not to know what a public enforcement record has made knowable. That is not negligence. That is the definition of willful blindness — the deliberate decision not to confirm what you have every reason to believe is true.

The “just processing payments” defense is the argument of an institution that has not read the statute it is subject to, has not studied the enforcement actions brought against institutions that made the same argument, and has not reckoned with the fact that it is not processing payments — it is warranting them. Every ODFI that continues to originate fixed-payment MCA entries without adequate diligence is not an innocent intermediary caught in someone else’s scheme. It is a regulated institution that has made a choice — the choice not to build the systems, perform the diligence, or ask the questions that its statutory obligations and its own unconditional warranties require. That choice has a name under the BSA. It is called willful failure to maintain an adequate anti-money laundering program. And the penalties for it are not administrative. They are criminal.

The Question Nobody Has Asked Publicly: Did the Banks Run the Names?

The NYAG’s Verified Petition is a 289-page public filing. It names specific entities — Yellowstone Capital, Delta Bridge Funding, and their various subsidiaries and successors. It names specific principals — by full legal name, with aliases. It documents specific successor operations that continued operating after earlier enforcement actions. All of this information has been in the public record since March 5, 2024.

115,468 transactions over roughly a decade, flowing through multiple entity names and multiple origination relationships. Across that volume and that many entities, the ODFI population is not one or two banks. It is a significant cross-section of the ACH origination infrastructure — potentially dozens of ODFIs whose originator portfolios included the entities the NYAG identified as participants in a criminal usury scheme.

The BSA question that follows is elementary: after the petition was filed, did those ODFIs run the named entities and principals against their originator and Third-Party Sender client lists? Did they check whether Yellowstone, Delta Bridge, or any of the named individuals or successor entities were among their active origination clients? A “reason to suspect” analysis under § 5318(g) does not require banks to conduct original investigations. But it does require them to act on publicly available information identifying specific entities engaged in criminal activity through the very payment channel the bank is originating. A name-screening check against a public enforcement filing is the minimum threshold of BSA diligence. It is a database query.

And the question that follows from that one is whether Nacha — the organization whose rules define the ODFI compliance standard, the organization that describes its enforcement role as “promoting Rules compliance” — issued any guidance requiring its member ODFIs to screen their originator portfolios against the names in a concluded state enforcement action documenting criminal conduct through the ACH network it governs. If Nacha did not, that is not merely a gap in guidance. It is an institutional decision not to act on public evidence of criminal activity flowing through its own network — evidence that named specific entities, specific individuals, and specific successor operations, all of which could have been identified in any ODFI’s originator database with a straightforward compliance query.

What This Means for Nacha

Nacha’s rules define the compliance standard against which federal examiners assess ODFI behavior. Nacha’s enforcement function — by its own description — promotes compliance. Nacha’s risk guidance addresses ODFI monitoring obligations. This is Nacha’s framework. These are Nacha’s members. The fixed-payment MCA pattern flows through Nacha’s network under Nacha’s rules.

If Nacha’s risk guidance does not identify the fixed-payment MCA pattern as a mandatory review trigger — despite a concluded state enforcement action establishing that the pattern represents criminal usury across 115,468 transactions — then Nacha’s guidance has a gap. And that gap has consequences: it means the compliance standard against which federal examiners assess ODFI behavior does not flag one of the most obvious predatory origination patterns in the ACH network, even after a public enforcement action made its criminal character a matter of record.

Nacha’s response to the seven questions submitted for this article stated that its enforcement role “is intended to promote Rules compliance.” The evidence now in the public record makes clear what compliance requires. The NYAG established that fixed-payment MCA collections signal criminal usury. This article has identified the specific ACH origination pattern — identical recurring debits under a variable-formula authorization — that marks those collections on the face of any bank’s transaction records. Every ODFI in Nacha’s network that originates entries fitting this pattern has a BSA obligation to flag them for review. Nacha, as the organization whose rules define the ODFI’s compliance standard, has an obligation to say so — and to adopt the trigger, or propose a better one.

The offer to Nacha is the same as it was in the companion article: identify a specific factual error in any published claim, and this publication will issue a correction, attribute it to Nacha, and publish Nacha’s explanation in full. The seven questions remain open. The evidence in the public record is not going away. And the BSA obligations that evidence triggers do not wait for Nacha’s guidance to catch up.

The Structural Dependency Nacha’s Response Cannot Address

The compliance trap documented above — State A or State B, no third option — has an industry-level corollary that transforms this analysis from a case-specific observation into a structural one.

If an ODFI that executes its compliance obligations cannot originate a single ACH entry for a fixed-payment MCA operator collecting under a variable-formula authorization, then a fixed-payment MCA industry operating through the ACH network at scale can only exist if ODFIs systemically fail to execute those obligations. The industry does not merely benefit from ODFI non-compliance. It requires it. ODFI compliance and fixed-payment MCA collection are mutually exclusive — not as a policy preference, but as a logical and arithmetic necessity that follows from the rules Nacha wrote.

The New York Attorney General’s Yellowstone enforcement action — which named the operator whose successor entity is the originator in the underlying litigation — documented approximately 18,000 small businesses subjected to this extraction model. The enforcement action produced a consent order. The operator reconstituted under a new name within months. The ACH extraction mechanism resumed. The ODFIs continued originating entries. The warranties continued being transmitted. Nothing in the enforcement architecture changed, because the enforcement architecture — Nacha’s self-governance model — was not designed to change it.

Every ACH entry in a fixed-payment MCA program generates a per-entry fee paid to Nacha. Nacha’s own operating rules state that per-entry fees are collected to fund, among other purposes, “the net costs of the rules enforcement process.” The entries that generate those fees could not have been originated if the rules those fees fund were actually enforced. The revenue and the compliance obligation are in structural conflict — and the revenue is winning.

This is the structural dependency that Nacha’s response cannot address — not because Nacha’s communications department chose not to, but because no answer exists that preserves both propositions simultaneously. Nacha cannot assert that its rules are adequate to govern the ACH network and simultaneously explain why a product that violates those rules on every entry has operated at scale for years under Nacha’s self-described governance. The rules work. They are not applied. The organization responsible for their application described its enforcement role, in writing, to this publication, as “distinct from statutory authority” and “intended to promote compliance.” The product that survives that promotion is the proof that promotion is not enforcement.

I said at the beginning of this analysis that I am likely not 100% correct in everything that follows — and after all these pages, I’m sure that’s true. This analysis is not about finding fault. Institutions make mistakes. People make mistakes. I have made many throughout my life and career — to be fair, we all do. But the question I posed at the outset has not changed: can our regulated financial institutions, and Nacha, avoid asking the far easier questions in the normal conduct of their business? After everything above, I believe the answer is no — they cannot avoid them, and they should not try.

The pattern is visible. The evidence is public. The obligations are clear. And the fix is not that hard. A trigger standard. A screening requirement. A guidance document that says what everyone in the industry already knows: fixed-payment ACH debits under variable-formula authorizations are a red flag, and after Yellowstone, they are a red flag backed by a public record of criminal conduct. This is fixable. It is fixable quickly. It is fixable without new legislation, without new agencies, and without dismantling anything that works. It requires only the willingness to look at what is already visible and act on what the law already requires. We do not get better as a society by throwing stones, we get better by solving problems, and this problem is not that hard to solve. Uncomfortable? Maybe. Hard? Not even close.

Let no one doubt, though, that inaction has human consequences — consequences that approach life and death. The NYAG’s petition does not document abstract financial losses. It documents what happened to people. A beloved New York City bakery that employed 30 to 50 workers and had operated for nearly three decades was pushed into a spiral of debt by fixed daily collections that had no connection to the Specified Percentages in the agreements, forced to take out new MCAs just to pay existing ones, and closed its doors after its final round of MCAs purported to claim three-quarters of its daily revenue. A plumber in Virginia laid off his employees and shut down the family business his father had built — and after a representative told him the only escape from his ballooning debts was winning the lottery or death, he walked into the woods, recorded a suicide message, and attempted to take his own life. He survived. The representative who told him death was the only way out later testified: “I made a lot of money on the guy.”

These are not edge cases. They are documented outcomes across more than 18,000 identified victims — families, employees, communities — whose businesses were destroyed by a collection mechanism that ran through the ACH network, under Nacha’s rules, with an ODFI’s unconditional warranty behind every extraction. Every day this pattern continues without review, the list grows. The victims of these past crimes, and the victims that will surely follow from today’s and tomorrow’s inaction, have real names, real families, and real wounds.

It is with these souls in mind that two questions remain, each addressed to a different audience. These questions do not have complicated answers. But the people with the real wounds — they deserve answers.

To Nacha: Your CEO described Nacha as the governor of the ACH network, responsible for risk management and rules enforcement. Your formal response to this publication described a rule-writing and education function that promotes compliance and does not resolve disputes. Both statements are on the record. One of them must be true. If Nacha is the governor and enforcement authority Ms. Larimer described publicly, then it has the authority and the obligation to act on the evidence now in the public record — to issue guidance identifying the fixed-payment MCA pattern as a mandatory review trigger, to require ODFIs to screen their originator portfolios against concluded enforcement actions, and to enforce its own rules against the origination of entries that fail the due and owing warranty on their face. If Nacha cannot do these things — if its institutional capacity, its governance structure, or its funding model prevent it from manning the post its CEO claimed — then Nacha has an obligation to say so, publicly and clearly, so that the federal agencies that incorporated Nacha’s rules into their examination standards can determine whether further regulation is required to fill the gap Nacha’s own response has now confirmed exists.

To every ODFI operating within the Nacha framework: The pattern is clear. Identical ACH debits, same amount, same originator, recurring daily or weekly, to a business account, under an authorization whose stated formula requires variable amounts tied to actual revenue. You can see it on any bank statement. The NYAG established — across 115,468 transactions, with insider testimony and $4.5 billion in documented collections — that transactions fitting this pattern often signal criminal usury. That finding is public. It is in the record. It names specific entities and specific principals. You are on notice. How can you originate one more ACH entry fitting this pattern without first doing the work to verify that the amount is actually due, that the obligation is legally enforceable, and that the payee is legally entitled to receive payment? Because the due and owing warranty you place behind every entry you originate does not say “to the best of your knowledge.” It does not say “based on the originator’s representations.” It is unconditional. And the evidence establishing what this pattern represents is no longer a matter of investigative speculation. It is a matter of public record, supported by the admissions of the people who built the scheme. The question is not whether you knew. The question is whether you can credibly claim you had no reason to suspect. After March 5, 2024, the answer is no.

To see my other work, visit Extracted. An excerpt from “The Perfect Lap” captures the heart of what My Desert, my recently completed book, explores: the journey from striving to alignment, from performing to being present. The full book traces forty years of wandering through what I call the spiritual desert—learning to distinguish between the God we construct and the God who actually shows up. My Desert will be available this summer.

Thanks for reading Extracted! Subscribe for free to receive new posts and support my work.

In January 2025, the New York Attorney General’s office announced the largest enforcement action in its history: a $1.065 billion judgment against the Yellowstone Capital network, delivering over $534 million in debt relief to more than 18,000 small businesses. The settlement named principals, imposed permanent industry bans, and vacated thousands of confessions of judgment used to freeze merchant bank accounts without notice or hearing.

Six months later, a Yellowstone principal was running a successor operation. The broker network was using a name belonging to a Yellowstone subsidiary listed in the NYAG’s own complaint. ACH debits were flowing through one of the largest banks in the United States. And the merchants being collected from had, under Nacha’s governance framework, no direct path to complain to the organization that wrote the rules governing each transmission.

This is not a story about one enforcement failure. Yellowstone reconstituted after earlier NYAG investigations. Its successor, Delta Bridge Funding, collected an estimated $1.2 billion after the regulatory pressure that was supposed to shut the original network down. Operators named in FTC actions have resurfaced under new entities within weeks of permanent injunctions. The enforcement record against predatory MCA is substantial and determined. It has not been enough.

Understanding why requires looking past the operators to the banking infrastructure that makes every collection possible. And to the private trade association — governing $86.2 trillion in annual transactions on a $26.8 million budget — that calls itself the enforcement authority for the rules that made it all possible.

A predatory MCA operator cannot collect a single dollar through the ACH network without a federally regulated bank placing its charter and its unconditional warranty behind each transmission. Remove the bank’s compliance failure, and the extraction stops permanently.

This article argues Nacha has built a system in which banks function simultaneously as the enforcer that makes extraction irresistible, the fence that launders unlawful loan proceeds into the mainstream financial system under institutional certification, and the keeper that blocks or indefinitely delays their return. Not through bad faith. Through structure — a governance and funding architecture that ensures the institutions paying Nacha’s bills are also the only parties who can trigger its enforcement process. And through federal acquiescence that converted a trade association’s private rulebook into the de facto regulatory framework for one of the most consequential financial networks in the world.

I. The Mechanism — What Predatory MCA Collection Actually Is

The Product as Designed

A merchant cash advance is structured as a purchase of future receivables, not a loan. A funder advances capital in exchange for a specified percentage of the merchant’s future revenue until a larger purchased amount is collected. In a legitimate transaction, collections flex with actual revenue. If business slows, payments adjust. The merchant bears business risk but retains the ability to manage cash flow.

The legal distinction matters: courts have recognized genuine receivables purchases as distinct from loans, placing them outside usury statutes. The distinction depends on three structural features: variable payments that flex with actual revenue, no fixed maturity date, and no absolute repayment obligation — if the business earns nothing, the funder collects nothing.

The Product as Deployed

The NYAG’s investigation documented the reality across 115,468 transactions: fewer than 70 — 0.06% — ever received a reconciliation adjustment. In practice, predatory MCA operators collect fixed, identical amounts automatically from the merchant’s operating account each week or day, regardless of what the business actually earned. The specified percentage formula exists in every contract. It is never calculated and never applied. It is legal camouflage, inserted to avoid usury classification. Effective interest rates, computed from the agreement’s own face terms, routinely range from 250% to over 2,000% annually.

The ACH Control Mechanism

What distinguishes predatory MCA from every other form of predatory lending is not the interest rate. It is the extraction mechanism, and the trap that makes interrupting it worse than enduring it:

• The merchant who instructs their bank to block the debit has committed a contractual default.

• The merchant who moves funds to protect cash flow has committed a default.

• The merchant whose account has insufficient funds — because the fixed extractions depleted it — has committed a default.

• In states permitting confessions of judgment, the MCA operator can freeze the merchant’s personal accounts without notice or hearing, sometimes within days of a missed payment.

The NYAG found that Yellowstone entities obtained confessions of judgment from merchants nationwide, with courts entering them by the thousands — functioning as an arm of the enterprise’s collection apparatus. But the extraction layer — the mechanism that moves money before any of that enforcement is even necessary — runs entirely through the ACH network. And the ACH network requires an ODFI to place its unconditional warranty behind each transmission.

II. Three Roles — Enforcer, Fence, and Keeper

Every ACH debit involves at least four parties, and understanding their roles is essential to the structural argument that follows. The merchant whose account is debited banks at the Receiving Depository Financial Institution — the RDFI. The entity that initiates the debit — in the MCA context, the funder collecting on the advance — is the Originator. The bank that transmits the debit into the ACH network on the originator’s behalf is the Originating Depository Financial Institution — the ODFI. And between the originator and the ODFI, there is frequently a payment processor or Third-Party Sender — an intermediary that aggregates originators, manages their ACH activity, and maintains the direct contractual relationship with the ODFI.

That intermediary layer matters. When an ODFI transmits a debit entry, its warranty under Nacha’s rules attaches to the entry itself — not to the identity of the ODFI’s direct client. The ODFI warrants that the amount is due and owing from the receiver to the originator, regardless of whether the originator contracted directly with the ODFI or reached the network through a processor. In practice, this creates a structural defense that ODFIs deploy after the fact: the bank claims it had no direct relationship with the MCA operator — that its client was the processor, not the originator — as though the warranty it made on every entry were contingent on knowing who stood behind it. It is not. The warranty is unconditional. The ODFI made it. And under Nacha’s Operating Rules, the ODFI is responsible for every originator that reaches the network through it, whether directly or through a Third-Party Sender (Nacha Rules § 2.2.2). The bank’s role in this architecture is not passive. Under Nacha’s Operating Rules, the ODFI performs three distinct functions, each structurally essential to the predatory MCA model.

Role One: The Enforcer

When an ODFI transmits an ACH debit entry, it makes the extraction legally effective and practically irreversible. ACH settlement is not a request or an invoice. It is a completed transfer. By the time the merchant sees the debit, the funds have already moved through the ODFI’s routing number into the operator’s account.

This is what makes predatory MCA categorically different from every other form of predatory lending. A lender who sends a bill can be ignored. A lender who files suit can be contested. A lender who uses the ACH network has already collected before the merchant can mount a response. The bank’s transmission is not the mechanism through which the operator collects after winning a dispute. It is the mechanism through which the operator collects before the merchant can mount one.

Role Two: The Fence — The Laundering of Unlawful Proceeds

The fence metaphor is not rhetorical flourish. It is a precise description of a legal function. A fence converts stolen goods into legitimate commerce by introducing them into normal market channels with a representation of lawful origin. The ODFI performs a structurally identical — and legally more powerful — function in the predatory MCA context.

When a predatory MCA operator collects under a criminally usurious obligation, the proceeds of each collection are, correctly characterized under applicable law, the proceeds of an unlawful debt. They are dirty. The underlying obligation is void ab initio — not merely voidable, but legally nonexistent as an enforceable claim. Under 18 U.S.C. § 1957, receiving or transmitting proceeds of specified unlawful activity through a financial institution in amounts exceeding $10,000 is a federal crime. Under 18 U.S.C. § 1956, conducting a financial transaction involving proceeds of specified unlawful activity to promote that activity or conceal its origins is money laundering.

The ODFI’s routing number and warranty do not merely facilitate the collection. They transform the legal character of the proceeds. Each ACH entry bearing the ODFI’s routing number carries into the mainstream financial system an unconditional institutional representation that:

• The originator has been verified through federally required due diligence

• The specific debit has been reviewed and validated against the operative authorization

• The amount being collected is presently existing, legally enforceable, and specifically determined — due and owing between the parties under a legitimate obligation

• The entry complies with all applicable rules and legal requirements

These representations are made unconditionally under Nacha § 2.4.1 — to the receiving bank, to the Federal Reserve and The Clearing House as ACH operators, and to every other participant in the settlement chain. They are made in the name of a federally chartered, federally supervised, deposit-insured institution. When they are false — when the underlying obligation is a void, criminally usurious debt — the ODFI’s certification does not describe the transaction. It launders it.

The ODFI’s warranty converts the proceeds of an unlawful debt into institutionally certified ACH settlements. The funds exit the transaction not as criminal collections but as compliance-reviewed, warranty-backed, Fed-settled credits bearing the endorsement of a Top U.S. bank. That conversion is the laundering — and it happens on every single entry.

The bank does not receive stolen goods. It does something more powerful: it certifies that the goods were never stolen. The proceeds pass through the ACH network wearing the institutional endorsement of a federally regulated bank as if they were an ordinary accounts-receivable collection. They arrive in the operator’s account already laundered — because a federally supervised institution, transmitting through the Federal Reserve, warranted that each collection was legitimate.

The SAR framework nominally designed to identify this pattern completes the architecture in a revealing way. BSA/AML regulations require the ODFI to file Suspicious Activity Reports when it detects transactions consistent with unlawful activity. Those reports go to FinCEN — not to the merchant. The merchant has no access to the reporting system and no way to know whether it was triggered. The regulatory mechanism for identifying unlawful proceeds runs through the same institution that warranted the proceeds were clean, with a disclosure path that terminates at a federal database the merchant cannot access.

Role Three: The Keeper

When a merchant — or the merchant’s bank — attempts to reverse a collection through the Nacha return process, the ODFI becomes the gatekeeper through whom any reversal must pass. Nacha’s rules give the RDFI the right to submit a proof-of-authorization request — a written demand that the ODFI produce evidence the debited amount was actually authorized. The ODFI has ten banking days to respond. But response is not the same as return.

In a documented exchange from March 2026 — arising from a dispute over collections by a Yellowstone-connected operator — the originating bank’s ACH department responded to a second proof-of-authorization request. Eight words in that response contain the entire structural argument of this article:

”Request was processed on 3/17/2026 and sent to our originator.

We are waiting for proof or permission to return.”

”We are waiting for proof or permission to return.” The bank that warranted — unconditionally, on every entry, with no knowledge carveout and no good-faith exception — that the amount was due and owing to the originator from the receiver was asking the entity that collected the money whether it was permissible to give it back. Not whether returning the funds was legally required. Whether it was permitted. By the originator. This inverts the warranty structure at the most fundamental level possible: the unconditional warranty runs forward frictionlessly; the return runs backward only with the originator’s blessing. The originator’s permission is legally irrelevant — the warranty was unconditional, made without condition, effective at the moment of transmission. That irrelevance is precisely the point. The bank does not believe its warranty gives it the independent authority to reverse its consequences. The one-year Nacha return window runs regardless of that institutional hesitation. The keeper function closes the window without a return — and the merchant’s last contractual remedy expires unused.

Nacha’s response to the questions in Section VII describes the RDFI’s two-banking-day return right as the remedy available to business account receivers. That right is permissive, not mandatory. And as the documented exchange above shows, it is subject to the ODFI conditioning any return on originator permission — which Nacha’s response did not address.

III. The Duty of Care — Why ”I Tried” Is Not a Defense

Before examining why Nacha’s governance structure fails to prevent these outcomes, it is necessary to address a foundational question: what standard of conduct applies to banks originating ACH entries?

Banking is a federally licensed, federally supervised, federally insured activity. The federal charter is not a certificate of participation. It is a grant of extraordinary privilege: the right to accept deposits backstopped by the FDIC, access to Federal Reserve payment systems, and participation in an interbank settlement network that is legally inaccessible to unlicensed parties. That privilege comes with commensurate obligation.

The Regulated Industry Standard

Courts have long recognized that regulated industries operate under a heightened duty of care relative to unregulated commercial actors. The rationale is simple: the regulation exists precisely because the activity is dangerous enough to require supervision. A licensed institution that fails to meet its regulatory obligations cannot argue that it tried, or that it acted in good faith, or that the failure was a reasonable mistake. The regulatory standard is not a floor of effort. It is a standard of result.

For banks, this principle is embodied in the entire structure of federal banking supervision: charter requirements, capital adequacy rules, examination authority, enforcement powers, and civil and criminal liability for BSA failures. A bank does not get credit for having a compliance program. It gets examined on whether that program identifies and addresses prohibited conduct. The difference between a compliance program and compliance is the difference between a fire extinguisher and an actually extinguishing fire response.

ACH Origination as Self-Regulated Activity Within a Regulated Industry

ACH origination sits at a unique intersection: it is an activity conducted by federally regulated institutions, governed by rules written by a private trade association whose members are those same institutions. That intersection does not reduce the duty of care. It heightens it.

Self-regulation within a regulated industry is only legally and institutionally viable if the self-regulated activity is conducted at a standard equal to or exceeding what direct federal regulation would require. That is the implicit compact when a federal regulator accepts a self-regulatory framework: the industry is representing that it can govern itself at the required standard. When the self-regulatory body is funded by the institutions it governs, whose rules those institutions write, and whose enforcement those institutions control, the representation is strained from the outset. The duty of care that attaches to the underlying regulated activity — banking — does not diminish because the specific sub-activity is nominally self-regulated. It attaches in full.

The ODFI warranty is not a best-efforts obligation. It is an unconditional certification. Nacha’s Operating Rules contain no knowledge carveout, no good-faith exception, and no materiality threshold for the § 2.4.1.6 due-and-owing warranty. An ODFI that transmits an entry does not warrant that it believed the amount was due and owing. It warrants that it is. The distinction is not semantic. ”I believed” is a negligence standard. ”It is” is an absolute guarantee. The bank accepted the absolute guarantee as a condition of ACH network participation.

The warranty is not a best-efforts representation. It is an unconditional guarantee made by a federally licensed institution transmitting through a Federal Reserve payment system. ”I tried” is not a defense. Neither is ”I didn’t know.” The warranty standard does not accommodate ignorance — particularly ignorance the bank was required by its own compliance obligations to cure before transmitting entry one.

Why BSA/AML Failures Are Criminal Acts — Not Compliance Lapses

This point deserves plain statement, because the industry’s self-description — and Nacha’s governance framework — consistently treat BSA/AML failures as compliance deficiencies subject to remediation. They are not. They are federal crimes.

The Bank Secrecy Act, 31 U.S.C. § 5318, imposes mandatory obligations on financial institutions: maintain anti-money-laundering programs, conduct customer due diligence, file Suspicious Activity Reports when required, and refrain from conducting transactions they know or have reason to know involve the proceeds of specified unlawful activity. Willful failure to maintain an adequate AML program is a criminal offense under 31 U.S.C. § 5322, carrying penalties of up to ten years imprisonment and fines of up to $500,000 per violation. Conducting a transaction with knowledge that the funds are criminally derived is money laundering under 18 U.S.C. § 1956 — a separate felony carrying up to twenty years imprisonment.

The enforcement record demonstrates that federal prosecutors and regulators treat BSA/AML failures as crimes — not administrative deficiencies — when the pattern is systematic and the volume is significant:

• TD Bank (2024): $3 billion in penalties — the largest BSA penalty in history — for systematic AML failures that allowed drug cartels to launder hundreds of millions of dollars through routine banking transactions. Three years of willful failure to monitor transactions that its own compliance officers flagged.

• Rabobank (2018): $369 million in penalties and a guilty plea for BSA/AML failures that allowed drug trafficking proceeds to flow through its branches. The bank’s compliance staff knew about the problem and was instructed to look away.

• USAA FSB (2023): $140 million in penalties for AML program failures including inadequate transaction monitoring for accounts with patterns of suspicious activity the bank had identified.

These were not cases where banks tried and fell short. They were cases where the monitoring obligation existed, the pattern was visible, and the institution declined to act on it. The BSA does not grade on effort. It grades on performance.

In the predatory MCA context, the monitoring obligation is clear, the trigger pattern is mechanical, and the consequence of non-performance is identifiable from the face of the ACH entries themselves. Three consecutive fixed-amount entries under a variable-formula authorization is not a subtle anomaly requiring sophisticated analysis. It is arithmetic. Any ACH monitoring system designed to catch unauthorized patterns catches this one — if it is designed to catch it at all.

An institution that originates thirty-one entries under a variable-formula MCA authorization, collects fixed identical amounts each time, never performs a SAR assessment triggered by the pattern, and then claims it cannot locate the originator in its own systems has not made a compliance mistake. It has documented — through its own records — either a BSA program that does not function, or a BSA program that functions and whose output was disregarded. Neither description is a compliance lapse. Both are the factual predicate for a BSA criminal referral.

IV. The Governance Gap — The Numbers That Define the Failure

If Nacha’s rules, correctly applied, bar every one of these transmissions — why has the industry operated through the ACH network for decades? The answer lies in Nacha’s governance and funding architecture. The rules are adequate. The institution responsible for enforcing them is structurally incapable of doing so against its own funding base.

The Funding Comparison — What ”Governance” Actually Costs

Nacha’s 2023 Form 990 — on file with the IRS, publicly available through ProPublica’s Nonprofit Explorer — reports total revenue of $26,817,338 and a staff of 77 employees. Jane Larimer’s total compensation in that filing was $1,141,094.

The IRS — the federal agency that governs tax compliance for the same economy that runs through Nacha’s network — had a FY2023 enacted discretionary budget of $12.3 billion and approximately 85,000 employees. The IRS Commissioner, Danny Werfel, was paid under the Executive Schedule Level II — a congressionally mandated rate of approximately $221,400 annually. The head of the federal agency that actually has enforcement authority over the institutions Nacha governs earns less than a fifth of what the head of the trade association that writes their compliance rules earns.

The CEO of the organization that governs $86.2 trillion in annual transactions — who describes herself as the governor and enforcement authority of the ACH network — earns five times what the Commissioner of the IRS earns. The IRS Commissioner oversees 85,000 employees, a $12.3 billion budget, and statutory enforcement authority over the entire U.S. tax system. Jane Larimer oversees 77 employees, a $26.8 million trade association budget, and an enforcement process that responded to a documented federal RICO complaint in eleven minutes with one sentence.

This is not a comment on compensation. It is a comment on institutional architecture. The person who governs $86.2 trillion earns more than five IRS Commissioners combined, works at an organization with no statutory authority, no congressional oversight, no APA rulemaking requirements, and no merchant-accessible complaint mechanism — and is paid by the institutions she is supposed to hold accountable.

The 501(c)(6) Conflict — Built Into the Revenue Model

Nacha’s per-entry fee structure creates a conflict that operates at the level of institutional incentive, not individual ethics. Every ACH entry — including every fixed-payment MCA extraction — generates revenue for Nacha. An enforcement action that terminates a high-volume MCA originator’s ACH access eliminates a revenue stream. A compliance failure that is never detected or acted upon costs Nacha nothing.

The governance conflict that allows these actions to persist has a specific institutional face. According to Nacha’s publicly available board records, one of the major banks that has operated as an ACH originator throughout the predatory MCA boom period has had its Senior Vice President and Head of Commercial Payments Products serving as Vice Chairperson of the Nacha Board of Directors — the board that oversees the enforcement function whose eleven-minute response is documented in this article. The person responsible for that bank’s commercial payments products, including its ACH origination infrastructure, sat on the board overseeing the enforcement of the rules governing that same infrastructure. That is not a conflict of interest in the conventional sense. It is the governance structure operating as designed: the institutions set the rules, the institutions oversee enforcement, and the institutions decide what enforcement looks like. That board relationship is one reason why Nacha’s governance framework — as Nacha’s own response to the questions in Section VII confirms — describes its enforcement role as promoting compliance rather than exercising authority.

V. The Federal Government’s Acquiescence — How Washington Made It Permanent

Nacha’s governance failures would be serious if Nacha were a purely private institution. They are compounded by something more consequential: the federal government has incorporated Nacha’s rules into federal regulatory frameworks as if they represented an independent, adequately resourced, publicly accountable standard — and in doing so, has lent federal authority to a trade association’s rulebook without providing the oversight that federal authority requires.

Incorporation by Reference — The Legal Mechanism

The most direct form of federal acquiescence is incorporation by reference. Title 31 C.F.R. Part 210 — the regulation governing federal government participation in the ACH network — states explicitly in § 210.2(a) that ”ACH Rules means the 2021 Operating Rules & Guidelines... published by Nacha.” The federal regulation governing billions of dollars in government ACH transactions delegates the substantive rule content to Nacha’s privately published guidelines, updated periodically through Nacha’s internal amendment process, with the federal government following Nacha’s changes through subsequent Federal Register rulemaking.

The Federal Register has published at least four rounds of Part 210 updates — in 2014, 2017, 2020, and 2022 — each of which amends federal regulations to track Nacha’s latest rule revisions. The federal government is not writing payment network rules. It is transcribing Nacha’s rules into the Code of Federal Regulations with a publication delay. Nacha amends the private rulebook; Treasury publishes a Federal Register notice adopting most of the changes; the cycle repeats.

The Federal Reserve’s Role

Regulation J (12 C.F.R. Part 210) governs funds transfers through the Federal Reserve’s FedACH system — through which a substantial share of ACH transactions settle. That regulation incorporates Nacha’s rules by reference as the governing framework for FedACH transactions. When the Federal Reserve settles ACH entries, it does so within a framework whose substantive rules were written by the institutions that use the Federal Reserve’s settlement services.

The Federal Reserve is not a passive participant. It is the settlement engine. Its participation gives each ACH transaction the additional institutional weight of Federal Reserve settlement — which is what makes the settlement final and the extraction irreversible. The Fed’s infrastructure operates within Nacha’s rule framework. Nacha’s rule framework was written by the banks. The banks write the rules governing the transactions the Fed settles. The circle is complete, and the merchant is outside it.

The Regulatory Examination Framework

The OCC, the FDIC, and the Federal Reserve have each issued guidance that incorporates Nacha’s rules as the relevant standard for ACH origination compliance. OCC Bulletin 2006-39, the FFIEC BSA/AML Examination Manual, and FinCEN Advisory FIN-2012-A010 all reference the Nacha framework as the applicable compliance standard that examiners assess during bank examinations. An examiner reviewing an ODFI’s ACH origination practices uses Nacha’s rules as the benchmark.

This incorporation means that Nacha’s adequacy — or inadequacy — as a governance body is laundered through the federal examination framework. When the OCC examines a major ODFI’s ACH compliance, it assesses whether that bank complied with Nacha’s rules. It does not assess whether Nacha’s rules are adequate to prevent predatory MCA origination. That question — the antecedent question — is never asked, because the federal examination framework has already accepted Nacha’s rules as the answer.

The federal government adopted a trade association’s rulebook as the governing standard for an $86.2 trillion payment network — without requiring that the trade association have independent funding, a merchant-accessible enforcement mechanism, or any accountability to the public it purports to protect. That acquiescence is not incidental to the predatory MCA problem. It is structural to it.

What Acquiescence Looks Like in Practice

The practical consequence of federal acquiescence is visible in the enforcement record. State attorneys general — the NYAG, the FTC, state regulators — have pursued predatory MCA operators using state law: usury statutes, consumer protection laws, fraud claims. They have achieved significant results. They have not been able to reach the ODFI relationship, because the ODFI relationship is governed by Nacha’s rules, and Nacha’s rules are accessible to enforcement only through a complaint filed by a financial institution.

Federal banking regulators — the OCC, the FDIC, the Fed — have authority over the ODFIs. They have the examination power. They have the enforcement authority. They have incorporated Nacha’s rules as the standard. What they have not done is use their examination authority to systematically identify and act on the ODFI origination patterns that are the mechanical signature of predatory MCA collection: fixed identical ACH debits, week after week, under variable-formula authorizations, with no SAR filings, no authorization reviews, and no pattern-based monitoring.

That pattern is visible in every ODFI’s ACH origination records. It requires no whistleblower, no informant, and no sophisticated investigation. It requires a query: show me all originators for whom consecutive entries were made in identical dollar amounts under a CCD code from a counterparty in the MCA industry. The answer would identify the problem systematically. The query has not been mandated. The examination framework did not require it. Nacha’s rules did not produce it.

VI. The Yellowstone Pattern — The Structural Proof

The Yellowstone Capital network is the most thoroughly documented case study of what this architecture produces at scale.

The NYAG’s 289-page petition documented a decade of operations: billions in collections from tens of thousands of small businesses, effective interest rates from 250% to over 2,000%, reconciliation in 0.06% of transactions, and systematic confessions of judgment. Every dollar of those collections moved through the ACH network. Every entry carried an ODFI’s routing number and unconditional warranty. The enforcement action named the operators. It did not name the ODFIs.

The Reconstitution Cycle

Yellowstone’s reconstitution history is the empirical proof of the structural argument. After earlier investigations, the network reorganized as Delta Bridge Funding — same principals, same offices, same model, $1.2 billion in collections before the final settlement. After the NYAG’s petition, a named Yellowstone principal was originating ACH collections through one of the country’s largest banks within months. The broker network used the name of a Yellowstone subsidiary in the NYAG’s own complaint. That bank’s system-generated Collection Entry Report showed the Yellowstone affiliated entity carrying a NON-NACHA originator designation in the bank’s own ACH origination system.

The operator’s entity name changes. The routing number does not. As long as the ODFI relationship reconstitutes — and Nacha’s governance framework gives no institutional party an incentive to prevent that reconstitution — the extraction continues regardless of how many enforcement actions have named the principals behind it.

The NON-NACHA designation in that bank’s own system-generated records deserves specific attention, because it illuminates a precise internal contradiction. The bank’s ACH origination infrastructure classified the “Co Named” Originator transmitting these entries as NON-NACHA — meaning outside the standard Nacha direct membership framework, operating without the direct compliance obligations that Nacha membership imposes. At the same moment, the bank was transmitting each of those entries under the full Nacha warranty: that the amount was due and owing, that the authorization was proper under the Rules, that the entry complied with all applicable requirements. The bank’s internal classification said: this party does not operate within Nacha’s standard framework. The bank’s external warranty said: this entry complies with Nacha’s rules in every respect. Both statements cannot be true simultaneously — unless the bank warranted on behalf of the NON-NACHA party. The internal designation that should have triggered the heightened scrutiny Nacha’s own framework requires for NON-NACHA originators instead coexisted with the unconditional warranty — leaving the merchant with a certification that the bank’s own records contradict.

Nacha’s Response — The Eleven-Minute Document

When a plaintiff in a federal RICO case submitted a complaint to Nacha — containing the case filing, ACH trace numbers, the originating bank’s own system-generated Collection Entry Report showing the NON-NACHA designation, and a specific warranty analysis — the response arrived in approximately eleven minutes:

”Nacha only accepts violations from financial institutions. Please contact your financial institution and have them file on your behalf.”

Contact your financial institution. In ACH terminology, that means your RDFI — the bank that holds your account and received the entries on your behalf. Not the bank that originated the entries. Not the bank that warranted each extraction as due and owing. Your RDFI can, but is not required to, submit a proof-of-authorization request to the ODFI on your behalf. That is the only path Nacha’s framework makes available to you, a merchant — a permissive right belonging to your bank, which your bank may or may not exercise (it is not legally compelled to do so). Nacha’s own website, in directing merchants to ”contact your financial institution,” implies this is a resolution path. It is a resolution suggestion. Whether it becomes anything more depends entirely on whether your RDFI chooses to act, whether the ODFI responds within the return window, and whether the originator — the party that collected the money — grants what the ODFI, in at least one documented case, described as ”permission to return.”

This is not a failure of the enforcement system. It is the system. The governor of an $86.2 trillion network — with a $26.8 million budget, 77 employees, a CEO compensated at over $1.1 million — responded to a documented federal RICO complaint in eleven minutes. The federal government, through Regulation J and the FFIEC examination framework, had already incorporated this organization’s rules as the governing standard. This is what that standard produces.

The structural argument of this article is not abstract. In announcing the Yellowstone lawsuit, Attorney General James described a merchant — a plumber in Virginia — who was told that death was the only escape from his ballooning debts. He attempted suicide. Every dollar of those debts moved through a warranted ACH entry. Every entry bore a routing number. Every routing number belonged to a federally regulated bank. When the system that took his money failed him, there was no enforcement mechanism available to him. Not from Nacha. Not from his bank. Not from the ODFI. The article he might have read about the ACH network would have told him it is safe, smart, and fast.

Source: NYAG Press Release, March 5, 2024. People of the State of New York v. Yellowstone Capital LLC et al., Index No. 450750/2024.

VII. Questions for Nacha — Addressed to CEO Jane Larimer

The following questions were submitted to Nacha’s communications department and addressed specifically to CEO Jane Larimer. They are grounded in her public statements characterizing Nacha’s role. In October 2024 she stated: ”Nacha is the governor of the ACH network in the United States. That means we write the rules, the standards, we have risk functionality and also run the enforcement of the rules as well.” In an earlier interview she stated: ”I am responsible for the ACH network rules, the risk management and rules enforcement.” These questions ask the organization’s chief executive to account for the gap between those characterizations and the documented outcomes.

1. In October 2024 you described Nacha as the governor of the ACH network that ”runs the enforcement of the rules.” The NYAG documented over $1 billion in MCA collections that moved through the ACH network — collections made by a network whose principals you now know were named in the largest state enforcement action against predatory MCA in history. Did Nacha’s network compliance function identify the origination pattern — fixed, identical ACH debits under variable-formula receivables purchase authorizations — that characterized Yellowstone’s collections during the period those collections occurred? If not, why not? If yes, what enforcement action did Nacha take?

2. Nacha’s Network Compliance department responded to a documented complaint containing a federal RICO filing, ACH trace numbers, and a specific warranty analysis in approximately eleven minutes with a single sentence directing the complainant to the financial institution whose conduct the complaint documents. Is this response consistent with your characterization of Nacha as the enforcement authority for the ACH network? What remedy exists, within the current framework, for a small business owner whose RDFI declines to file a proof-of-authorization request on their behalf?

3. Nacha’s 2023 Form 990 reports total revenue of $26,817,338 and a staff of 77 employees — governing $86.2 trillion in annual ACH transactions. The IRS governs $5 trillion in annual tax receipts with a $12.3 billion budget and approximately 85,000 employees. The IRS Commissioner is paid under the Executive Schedule at approximately $221,400 annually. Your total compensation in the 2023 Form 990 is $1,141,094. Do you believe a $26.8 million trade association with 77 employees has the institutional capacity to serve as the enforcement authority for an $86.2 trillion network? What specific enforcement infrastructure — not rules, not guidance, but staffed enforcement capacity — does Nacha maintain to monitor ODFI origination patterns for predatory MCA activity?

4. Title 31 C.F.R. Part 210 incorporates Nacha’s Operating Rules by reference into federal regulation, and the OCC, FDIC, Federal Reserve, and FinCEN have each incorporated Nacha’s framework into their examination guidance. Given that the federal government has treated Nacha’s rules as the regulatory standard for ACH compliance, does Nacha believe it has obligations commensurate with that regulatory role — including an obligation to maintain enforcement mechanisms accessible to the merchants whose accounts its rules govern? If not, is Nacha asking the federal government to incorporate a standard into federal regulation that Nacha does not intend to enforce?

5. Nacha’s rules require ODFIs to monitor origination activity across multiple settlement dates. Three consecutive ACH entries of identical dollar amounts under a variable-percentage-of-receivables authorization — entries that by the agreement’s own terms should fluctuate with actual business revenue — constitute a pattern categorically inconsistent with the stated collection formula. Does Nacha’s risk guidance address this specific pattern as a mandatory SAR assessment trigger? Has Nacha taken enforcement action against any ODFI for failing to flag this pattern in documented MCA collections? If not, what deters an ODFI from concluding that systematic origination of fixed-payment MCA entries is tolerated by Nacha’s enforcement framework?

6. The Bank Secrecy Act imposes mandatory AML program obligations on financial institutions, with willful non-compliance carrying criminal penalties under 31 U.S.C. § 5322. Enforcement actions against TD Bank, Rabobank, and USAA FSB demonstrate that federal prosecutors treat systematic monitoring failures as criminal matters, not administrative ones, when the pattern is sustained and the volume is significant. The predatory MCA origination pattern — fixed identical collections under variable-formula authorizations — is more mechanically visible than most SAR triggers and requires only arithmetic to identify. Does Nacha have a published position on the BSA standard applicable to ODFI origination of fixed-payment entries under variable-formula MCA authorizations — specifically, whether three consecutive identical entries under such an authorization constitute a mandatory SAR assessment trigger? If Nacha has issued such guidance, where is it published and why has it not produced enforcement action against the ODFI origination patterns the NYAG documented across 115,468 transactions? If Nacha has not issued such guidance, why not — and does the absence of guidance constitute Nacha’s implicit position that no mandatory assessment trigger exists?

7. You have described Nacha as one of the best examples of self-regulation in any industry. The 18,000 small businesses identified as Yellowstone victims — and the thousands more victimized by the successor operations that continued after the NYAG’s enforcement action — had no membership, no vote, no complaint access, and no federal statutory protection (EFTA expressly excludes business accounts). The federal government has incorporated Nacha’s rules into federal regulation without requiring a merchant-accessible enforcement mechanism. Is Nacha considering any structural reform to give the merchants whose accounts the ACH network debits direct access to the enforcement framework? If not, is Nacha’s position that merchants whose accounts are subjected to unauthorized ACH collections have no recourse within the governance system Nacha describes as its responsibility?

Nacha’s communications department, through a spokesperson, provided a response on April 2, 2026. That response is reproduced in full below, without editing or omission.

NACHA’S RESPONSE — Received April 2, 2026, reproduced in full

“Nacha’s role is to set and maintain the Operating Rules that support consistent and efficient ACH payment processing within an interbank payment system. Nacha also provides guidance and education to help participants understand their roles within the ACH Network. Nacha does not process any ACH payments and does not have access to information about individual payments.”

“Please note, however, that there are a number of incorrect assertions and conclusions in your draft.”

“The Nacha Operating Rules are the foundation for every ACH payment. The Rules define the roles and responsibilities of financial institutions and establish clear guidelines for each ACH Network participant. Under the Nacha Rules, the warranty made by the ODFI that the payment is authorized does not further apply to the nature of the goods or services for which payment is being made.”

“Nacha’s enforcement role is intended to promote Rules compliance by financial institutions. It is distinct from the statutory authority exercised by regulators, law enforcement or courts. Nacha does not resolve commercial disputes between parties making and receiving payments.”

”The Nacha Rules permit a receiving bank to return an unauthorized ACH payment to the originating bank, typically within two banking days when an unauthorized payment posts to a business account. Although the incidence of unauthorized ACH payments is very low, Nacha recommends that businesses monitor account activity at least daily and consider using bank-offered services—such as debit blocks and positive pay—to help prevent unauthorized payments.”

Nacha’s response did not address the due and owing warranty under § 2.4.1.6, which is the warranty provision most directly implicated by the structural argument above. The goods and services carveout cited in their response addresses commercial disputes about the underlying transaction, not the question of whether the specific dollar amount debited was due and owing between the parties under the operative formula. The two-banking-day return right described applies to entries to business accounts as a permissive right held by the RDFI, not a mandatory obligation — and not a right the merchant can directly invoke. A comprehensive technical response to Nacha’s four substantive claims will be published separately.

VIII. What Would Close the Gap

The argument here is structural, not personal. Nacha’s leadership is technically capable and operationally serious. The ACH network it has built is efficient, reliable, and essential. The rules, as written, provide an adequate compliance standard. The problem is the governance and funding architecture, and the federal acquiescence that embedded that architecture into the regulatory framework without requiring the accountability that regulatory incorporation demands.

Four changes would materially alter the outcome:

• Direct merchant access to enforcement — a merchant-accessible complaint mechanism with defined investigation timelines and defined ODFI response obligations. The CFPB has this. The IRS has this. There is no structural reason Nacha cannot implement it except that doing so would require its member institutions to vote for a mechanism that could be used against them.

• Mandatory RDFI obligations for fixed-pattern MCA collections — making the RDFI’s proof-of-authorization right mandatory, not permissive, when a merchant documents fixed-amount recurring collections under a variable-formula authorization. The fact pattern is identifiable from the ACH entries without additional investigation.

• Federal statutory coverage for business accounts — extending EFTA’s basic dispute rights to small business accounts, or creating a parallel framework. The exclusion of business accounts is a legislative choice that the predatory MCA industry has exploited as a permanent structural advantage.

• Independent federal oversight of Nacha’s enforcement function — with reporting obligations to a federal agency that has direct examination authority over ODFI members and the ability to mandate the origination pattern queries that would systematically identify predatory MCA collections. This requires legislation or a significant expansion of existing regulatory authority.

None of these require new legal theories. They require applying existing obligations — the ODFI warranty, the BSA monitoring standard, the usury arithmetic — to the institutions that have evaded their application for decades by operating under a governance framework that has no mechanism to require it.

A detailed technical response to Nacha’s four substantive claims — addressing the warranty framework, the authorization analysis, and the return mechanism in the terms a regulator and enforcement authority would apply, as well as a thorough review of the questions Nacha did not answer — will be published as a companion document to this article.

About This Article

This article draws on:

• The New York Attorney General’s Verified Petition in the Yellowstone Capital enforcement action (January 2025);

• Nacha’s published Operating Rules (2026 edition);

• Nacha’s annual network statistics;

• Jane Larimer’s public statements including the Currency Research Podcast, Episode #30 (October 2024) and remarks at Nacha’s 50th Anniversary (May 2024);

• Nacha’s Form 990 (2023, EIN 23-7451693, available through ProPublica’s Nonprofit Explorer);

• 31 C.F.R. Part 210 and Federal Register publications (2014, 2017, 2020, 2022);

• The FFIEC BSA/AML Examination Manual;

• OCC Bulletin 2006-39;

• FinCEN Advisory FIN-2012-A010;

• TD Bank (2024), Rabobank (2018), and USAA FSB (2023) enforcement actions;

• And, documented communications from a federal RICO action pending in the Northern District of Texas (Koster v. Cromwell Capital LLC et al., No. 3:26-cv-0743-D).

The author is a pro se plaintiff in that action. Prior to publication, the author submitted the draft article and seven specific questions to Nacha’s CEO Jane Larimer for comment. Nacha’s communications department provided a response, reproduced in full in Section VII. A comprehensive technical response to that response will be published separately. The structural argument applies to the industry as documented across tens of thousands of transactions and is not dependent on the outcome of any litigation.

To see my other work, visit Extracted. An excerpt from “The Perfect Lap” captures the heart of what My Desert, my recently completed book, explores: the journey from striving to alignment, from performing to being present. The full book traces forty years of wandering through what I call the spiritual desert—learning to distinguish between the God we construct and the God who actually shows up. My Desert will be available this summer.

This section of Extracted — The Regulators — exists for one purpose: to document what these recipients do with the information. Every agency that responds, and every agency that doesn’t. Every acknowledgment, every referral, every form letter, and every silence. On the record. With dates.

Not because I expect miracles. I’ve spent a career watching regulatory processes move slowly and institutions protect themselves. But I’ve also watched what happens when a documented, public record exists — when the response time isn’t just a number in someone’s inbox but a visible, searchable, permanent fact. So that’s what this becomes.

Who received letters today

The recipients fall into three groups, each receiving a letter tailored to their mandate and jurisdiction.

The financial regulators and attorneys general received letters focused on the ODFI warranty theory — the argument that Fifth Third Bank, as the Originating Depository Financial Institution under Nacha’s rules, made an affirmative warranty on each of the thirty-one ACH entries it processed that the amount was due and owing, and that we allege this warranty was not met. These are the agencies with both enforcement authority over regulated institutions and supervisory tools to address what happens when an ODFI doesn’t perform the verification its own regulatory framework requires. This group includes the OCC (which supervises Fifth Third as a national bank), the Federal Reserve Bank of Philadelphia (which issued a Written Agreement to Customers Bank for the exact compliance failures at issue), Nacha’s Rules Enforcement division (which has direct authority over Fifth Third as an ODFI member), the New York DFS, the Texas Department of Banking, the Florida AG, the Florida OFR, the Texas AG, the Texas OCCC, and the FDIC.

The consumer and financial crimes regulators received letters framed around the predatory lending harm — the ACH extraction mechanism, the trap structure, the 0.06% reconciliation rate, and what it means that a nearly $20 billion industry has operated at effective rates between 250% and 2,000% while the banking system that enables it faces no accountability. This group includes the CFPB, the FTC, FinCEN, and the FBI’s Dallas field office.

The congressional recipients received letters that make the constituent and policy case — not just the legal theory, but the human reality of what predatory MCA does to the businesses that employ their constituents, the credit access gap that drives demand for these products, and the policy tools that exist to address both the symptom and the underlying cause. This group includes Senate Banking Committee Chairman Tim Scott, House Financial Services Committee Chairman French Hill, and Texas Senators Cornyn and Cruz, and Representative Gooden.

Why twenty, and why now

The sequencing here was deliberate.

There are enforcement actions you file hoping no one notices. This is not one of those. The complaint names two federally regulated banks — Fifth Third Bank, which processed the ACH entries, and Customers Bank, which held Cromwell’s account under an active Federal Reserve enforcement order. The theory that makes those banks defendants is built on Nacha’s own rules, and other banking rules and regulations. The evidentiary foundation includes data from the New York Attorney General’s investigation of the Yellowstone network — the same network that the NYAG found had failed to perform the receivables calculation in 115,468 out of 115,468 transactions.

This is a case that belongs in front of every institution with jurisdiction over any piece of it. The RICO complaint is the federal action. The regulatory letters are the parallel record. They’re not redundant — they’re cumulative. A federal court looks at what has been alleged. A regulator looks at what has been documented. The same facts, read by different institutions, through different mandates, can produce different kinds of accountability.

And there is a second reason, which I want to be transparent about. I’m a pro se plaintiff. I don’t have institutional resources. What I have is a factual record I trust, a legal theory I believe in, and the ability to document everything publicly in real time. Regulatory engagement — filing letters, building a public record, creating a documented request for response — is part of how a party without a law firm creates compounding pressure. Every agency that receives a letter and does nothing has made a documented choice. Every agency that engages has validated the underlying theory. Either outcome advances the record.

What I’m tracking — and what you’ll see here

Starting today, this section will maintain a running update of regulatory responses, highlighting information like agency name, date of contact, current status, days elapsed. No editorializing. Just dates.

I have no illusion that most of these agencies will respond quickly, if at all. The CFPB is operating with reduced resources. The FTC has a full docket. State attorneys general have constituent priorities that don’t begin and end with one RICO complaint. Congress moves at its own speed.

But “we have a full docket” and “we don’t respond to pro se litigants” and “this is a matter for the courts” are themselves data points. If twenty agencies receive a documented complaint about a federally regulated bank using ACH infrastructure to process a pattern of unverified warranties — and none of them respond in any meaningful way — that tells us something important about the gap between what our regulatory system is designed to do and what it actually does.

That’s the story this section will tell. Whether it’s a story of responsive government or institutional silence, it will be documented here, in real time, with evidence.

The underlying theory, briefly

Because this section will reference the ODFI warranty theory repeatedly, it’s worth explaining it once clearly for readers who haven’t read the RICO article.

An Originating Depository Financial Institution — the bank that originates ACH debits on behalf of its customers — is not just a wire service. Under Nacha’s Operating Rules (§ 2.4.1.6), the ODFI makes an affirmative warranty for each entry it transmits: that the amount is due and owing to the originator on the settlement date.

In a merchant cash advance structured as a purchase of receivables — where the contract specifies a percentage of the merchant’s actual revenue — that warranty can only be honest if someone has done the calculation. Verified the receivables for the period. Applied the specified percentage. Confirmed the result. If the MCA company is simply debiting a fixed amount regardless of actual revenue, and the bank is transmitting those entries without requiring or performing verification, we allege the bank’s warranty was not met.

The New York Attorney General documented that across 115,468 transactions in the Yellowstone network, only 0.06% ever received a reconciliation adjustment. That means in 99.94% of those transactions, the specified percentage formula was never applied. The ODFI that processed those entries warranted, for each one, that the amount was due and owing. We allege it wasn’t.

That’s not a theory about one bad actor. That’s a theory about the structural relationship between MCA funders and the banking system. And it’s why the letters that went out today are addressed to banking regulators and law enforcement, not just to state attorneys general pursuing MCA operators.

The regulators I’d most like to hear from

Every agency on the list received a serious letter. But if I’m being direct about where I think meaningful engagement is most likely — and most consequential — it’s the OCC and the Federal Reserve.

The OCC supervises Fifth Third Bank as a national bank. If the ODFI warranty theory is correct, it is a supervisory issue for the OCC, not just a litigation issue for a federal court. The Federal Reserve Bank of Philadelphia issued a Written Agreement to Customers Bank documenting deficiencies in the compliance functions that should have caught Cromwell and Vaysman before the first transaction was funded. The facts alleged in this complaint are precisely the category of conduct that Written Agreement was designed to prevent.

Neither of those agencies had information about this specific situation before today. Now they do. What happens next is up to them — and to this publication’s readers, who will see exactly what that looks like.

The clock starts today.

James L. Koster II is a former Fortune 200 executive with thirty years of experience in institutional capital markets. He is the pro se plaintiff in Koster v. Cromwell Capital LLC et al., Civil Action No. 3:26-CV-0743-D, United States District Court, Northern District of Texas, Dallas Division. Nothing in this publication constitutes legal advice.

If you’ve seen the first few articles in this publication, you know the background. In The Financing Reality for Small Businesses, I described how the disappearance of community banking created a vacuum, and named who rushed in to fill it.

I want to be precise about something before going further. The merchant cash advance industry has legitimate roots. Factoring — the purchase of receivables at a discount to provide businesses with immediate working capital — is a longstanding and legitimate business finance practice. There may be MCA providers operating today who provide capital on reasonable terms, without the control mechanisms I’m about to describe, and who actually administer the receivables formula the contracts specify. I don’t know every operator in this space. I don’t intend to condemn the whole with the part I know.

What I know — from my own experience, from the New York Attorney General’s investigation of the Yellowstone network, and from the pattern documented in the complaint filed today — is that a significant number of players in this industry operate not as a descendant of factoring but as a descendant of something older and less legitimate: loan sharking. Fixed extractions regardless of actual revenue. Personal guarantees that function as leverage, not security. An ACH mechanism that converts “how much do I owe” into “how much can they take.” The New York Attorney General advanced exactly this characterization in their enforcement action against Yellowstone — that what was being sold as receivables financing was in practice a loan sharking operation at industrial scale.

It is worth pausing on that comparison — because calling them loan sharks may actually understate the problem.

The loan shark who showed up at the door with a baseball bat was constrained by geography. He was constrained by the need for physical presence and personal confrontation. He was constrained by the limits of extrajudicial enforcement — threatening someone is different from reaching into their bank account. And he was constrained by scale: one thug, one neighborhood, one set of victims at a time.

The predatory MCA operator faces none of those constraints. The ACH system reaches every business bank account in America. The broker network reaches every small business owner who has ever filled out an online inquiry form. The agreements — drafted carefully by lawyers who understand usury law better than their clients do — unlock access to state courts that can freeze personal bank accounts before the merchant has any opportunity to respond. And the operating structure of a Florida LLC with an Ohio bank processing ACH entries means the operator can extract from a Texas business without ever setting foot in the same state.

The reach is broader. The access to mainstream America is easier. And the combination of access to bank accounts and access to the courts enables these operators to inflict harm at a scale, a speed, and a geographic breadth that no individual loan shark with a baseball bat could ever approach. We use the loan shark frame because it captures the economic relationship honestly — capital at any cost, enforced by threat of personal financial destruction. But it is worth being clear that the digital, institutionally-enabled version of that relationship is not less dangerous than the original. It is considerably more so.

What makes it possible — what elevates it from a street-corner problem to a systemic one — is the infrastructure behind it. Specifically, the federally regulated financial institutions that originate the ACH debits and hold the operating accounts that make extraction automatic, continuous, and by design very difficult to stop.

This complaint is about the bank.

What happened

CT2 Solar, LLC, a Texas-based solar energy systems business I invested in, entered into two merchant cash advance agreements with Cromwell Capital LLC — one in September 2024 and one in December 2024. Cromwell advanced a total of $130,248. Over the following thirteen months, CT2 paid back $218,606. Every dollar of principal, returned. On top of that: $88,358 in effective interest, at annualized rates our CPA calculated at between 700% and over 2,000%, depending on the agreement and the calculation method.

And Cromwell continued to demand more — $44,970 more. I finally said, “No.” I’ll see you in court.

I’ve spent thirty years in institutional capital markets. I’ve structured lending transactions across every major asset class. I know how to read a contract. What I found when I read these contracts carefully — and what our CFO Brian Wolf documented in a formal financial analysis — is that Cromwell had already collected more than it was entitled to under its own agreements. The formula that was supposed to govern collections — a specified percentage of CT2’s actual receivables — was never calculated. Not once. Cromwell debited fixed amounts directly from CT2’s operating account, week after week, regardless of what was truly owed under the contracts Cromwell itself had drafted.

This isn’t a dispute about interpretation. It’s a dispute about whether Cromwell was required to follow the terms of its own agreements. We say yes. The numbers say yes. And the bank that processed every one of those debits had an obligation — under the rules that govern its own industry — to make sure each one was legitimate.

The five defendants

The complaint names five defendants. Understanding why each one is named is essential to understanding the theory.

Cromwell Capital LLC is the MCA operator. Its sole manager, Lanny Vaysman, is also a named defendant. Vaysman appears by name in the New York Attorney General’s 289-page Verified Petition against the Yellowstone Capital network (a major participant in the MCA business) — the investigation that culminated in January 2025’s $1.065 billion settlement. The NYAG’s petition specifically identifies Vaysman as a funder at Yellowstone/Delta Bridge who negotiated deals in which the specified percentage of receivables was never discussed. That’s not a coincidence. That’s a pattern.

Fifth Third Bank, N.A. is another named defendant. Fifth Third is the Originating Depository Financial Institution — the ODFI — that processed every ACH debit Cromwell pulled from CT2’s operating account. Thirty-one entries. Thirty-one times, Fifth Third transmitted a debit into the ACH network with its institutional warranty that the amount was due and owing. Thirty-one times, no one calculated whether it was.

Under Nacha’s Operating Rules — the governing framework for ACH transactions — an ODFI is not a passive wire. It is an affirmative warrantor. Section 2.4.1.6 of the Nacha rules states that the ODFI warrants, for each entry it originates, that the amount is due and owing to the originator on the settlement date. In a percentage-of-receivables MCA, that warranty can only be true if someone has done the math — verified the receivables, applied the specified percentage, confirmed the result. That calculation was never performed.

Customers Bank is a named defendant too. Customers Bank held Cromwell’s operating account and received all of CT2’s wire repayments. At the time of these transactions, Customers Bank was operating under an active Written Agreement with the Federal Reserve Bank of Philadelphia for deficiencies in exactly the compliance functions — customer due diligence, beneficial ownership identification, and suspicious activity monitoring — that should have identified Cromwell’s nature (through publicly available information about Vaysman) before the first transaction was funded. They had been told by their own regulator that their controls were inadequate. The transactions went through anyway.

World Global Capital LLC d/b/a Westwood Funding is the final defendant. Westwood is an affiliate of World Global Capital, according to the the New York Attorney General’s Verified Petition, and the name Westwood Funding was used interchangeably with Cromwell by the broker who placed both Cromwell transactions with CT2.

Why RICO — and why it reaches the banks

RICO — the Racketeer Influenced and Corrupt Organizations Act — was enacted in 1970 to address a problem that existing criminal law couldn’t solve. The problem wasn’t that organized crime committed crimes. Law enforcement had always pursued criminals. The problem was that criminal enterprises derived their power, their durability, and their scale from access to legitimate infrastructure — legitimate businesses, legitimate financial institutions, legitimate commercial systems. A loan shark operating on street corners is a local problem. A loan shark with access to the banking system, the courts, and the ACH network is a systemic one. Congress wrote RICO to reach the infrastructure, not just the actor.

That principle is exactly what this complaint applies.

Cromwell Capital, operating through Lanny Vaysman — a manager who appears by name in the New York Attorney General’s enforcement action against the Yellowstone network — extracted money from CT2’s bank account using the ACH system: the same electronic payment infrastructure that processes payroll, mortgage payments, and Social Security deposits for tens of millions of Americans. The ACH system didn’t make Cromwell’s conduct possible because anyone hacked anything or broke any technical barrier. It made it possible because Cromwell had a banking partner — Fifth Third Bank — that originates ACH entries on its behalf, and a second banking partner — Customers Bank — that holds its operating account. Two federally regulated financial institutions, woven into one of the most trusted and widely used financial systems in the country, providing the institutional legitimacy that turned a pattern of unverified collections into an unstoppable extraction mechanism — on behalf of a known player in the MCA industry, who confirmed, in now public deposition material that MCAs are not receivables purchases. They are loans — because actually tying the financial activity to true receivables was a myth.

That is precisely the situation RICO was designed to reach. Not because Fifth Third and Customers Bank are criminal enterprises. But because RICO recognizes a fundamental truth: criminal schemes that access legitimate infrastructure are categorically more dangerous, more durable, and more harmful than criminal schemes that don’t. The infrastructure is the lever. Cut it off, and the scheme collapses. Leave it in place, and the scheme reconstitutes — under a new name, with a new LLC, within weeks of any enforcement action against the operator.

That reconstitution is documented in this complaint. Cromwell Capital LLC was not Yellowstone Capital. But its manager was a Yellowstone funder identified by name in the NYAG’s Verified Petition. The ACH infrastructure that processed CT2’s collections operated identically to the Yellowstone infrastructure — because the same institutional framework is available to anyone willing to set up an LLC and open a bank account. The NYAG’s billion-dollar judgment didn’t close the pipeline. It couldn’t, because it targeted the operator without touching the infrastructure.

The RICO elements are present. The enterprise is the network of relationships among the five defendants — Cromwell, Vaysman, Fifth Third, Customers Bank, and World Global — operating together to originate, fund, collect, and process the transactions at issue. The pattern is established by the NYAG’s own data: across 115,468 transactions in the Yellowstone network, only 0.06% ever received a reconciliation adjustment. We allege the specified percentage formula was not a functioning mechanism — it was contractual language inserted to avoid loan characterization, not to govern collections. That is not one bad actor’s deviation. That is, we allege, the business model. The predicate acts are wire fraud — each of the thirty-one ACH entries Fifth Third transmitted into the interstate wire network was accompanied by Nacha’s institutional warranty that the amount was due and owing. We allege that warranty was not met: the calculation required to make it true was never performed. Thirty-one times.

We are not suggesting Fifth Third designed this scheme or that Customers Bank set out to harm small businesses. What the evidence supports — and what we are asking the court to find — is that the obligations those institutions carried under Nacha’s rules, federal banking law, and their own compliance frameworks were not met, and that their participation in the transactions at issue makes them part of the RICO enterprise we have alleged.

Whether the court agrees with every element of that theory remains to be seen. Litigation is not a guarantee. Arguments that are sound in principle can fail on application. We believe this theory is well-grounded, and we believe that even where specific arguments may not prevail, the broader question this complaint raises — whether federally regulated banks can provide the operational infrastructure for a loan sharking enterprise without accountability — is one the legal system needs to answer. If we are wrong on an element, we will be wrong honestly and on the record. But the underlying reality this complaint describes — that loan sharks are using the financial backbone of this country to systematically extract from small businesses — is not a legal theory. It is what happened.

The complaint also includes supplemental state law claims under Texas usury statutes and the Texas Deceptive Trade Practices Act.

Two arguments — and the one that doesn’t require us to be right about banking law

I want to be transparent about something, because I think intellectual honesty serves this case better than false certainty.

The ODFI warranty theory — the argument that Fifth Third’s obligations under Nacha’s rules make it a RICO participant — is a novel legal argument. I believe it is well-grounded. I have read the rules carefully. I have constructed the argument with the help of financial and legal analysis we trust. But I am not a professional litigator, and I am making an argument that no court has squarely addressed in the MCA context. There is a non-trivial possibility that a court finds I have read a Nacha provision incorrectly, or applied it in a way that doesn’t quite fit, or stretched the wire fraud predicate further than the doctrine allows. That is the nature of novel legal arguments. If I am wrong on that theory, I will be wrong honestly, on the record, having tried.

But here is what I want every reader — and every regulator, and every legislator — to understand: even if I am wrong about every detail of banking law, I am not wrong about what CT2 signed.

The contracts CT2 signed with Cromwell Capital specify a formula. A percentage of actual receivables, to be collected as that revenue is earned. That is not my characterization of the agreements. That is what the agreements say. The formula is in the documents. It is in Cromwell’s documents, drafted by Cromwell’s lawyers, executed by Cromwell and CT2.

That formula was never calculated. Not once. Not approximately. Cromwell debited fixed amounts from CT2’s operating account on a fixed schedule regardless of what CT2’s actual receivables were in any given period. What Cromwell collected bore no relationship to the formula Cromwell wrote into its own contracts. When Cromwell’s collections are measured against that formula — when someone actually does the math the contract requires — Cromwell collected more than the contract entitled it to collect, and then demanded still more on top of that.

That argument does not require Nacha. It does not require RICO. It does not require us to be right about ODFI warranties or wire fraud predicates. It requires only that the words in a contract mean what they say — a principle that has been foundational to commercial law for centuries.

I am advancing the banking infrastructure theory because we believe it is correct and because, if it is correct, it has implications far beyond CT2. But I am not advancing it as a substitute for the simpler argument. The simpler argument is this: the contract says one thing. What happened was another. That is not a technicality. That is the whole case.

If I am wrong about some aspect of how Nacha works, or how RICO applies, or how the wire fraud statute reaches bank-processed ACH entries — those are legal questions a court will resolve. What a court cannot resolve away is the math. The formula exists. The calculation was never done. The numbers don’t balance. That is true regardless of what any regulatory framework says about it.

And because I am not wrong about what CT2 signed — because the contract is what it is and the collections are what they were — I am not wrong about what happened to us. The payment system, the banking infrastructure, the courts: these are not neutral instruments. In this transaction, they were the mechanism by which something the contract did not authorize was extracted from a small business and enforced against its owners. That is what weaponization looks like. Not a conspiracy. Not a hack. Not a crime in a dark alley. A contract that said one thing, a banking system that collected another, and every instrument of legitimate commerce and law deployed in service of the difference.

Why this matters beyond CT2

The legal claims I present are specific to those transactions, those agreements, and those defendants that harmed CT2.

But the theory — the ODFI warranty as the mechanism that makes ACH extraction possible and the failure to perform required verification as the structural flaw — applies everywhere this product is sold. Cromwell is not unique. Fifth Third is not unique. The ACH origination structure is universal. If the ODFI warranty theory is correct, it applies to every percentage-of-receivables MCA where fixed amounts were debited without calculation — which, based on the NYAG’s data, is essentially all of them.

I’m a pro se plaintiff. I don’t have a law firm behind me. What I have is thirty years of institutional finance experience, a carefully documented factual record, and the determination to build this case piece by piece. I’ve been aided throughout by AI assistance — which is itself part of what this publication documents. One of the things I want to demonstrate, over the life of this litigation, is that a well-resourced adversary and a sophisticated legal theory are not the exclusive province of institutional plaintiffs with institutional counsel. Access to justice shouldn’t require a retainer.

The complaint is on file. The case is active. Every development will be documented here.

James L. Koster II is a former Fortune 200 executive with thirty years of experience in institutional capital markets. He is the pro se plaintiff in Koster v. Cromwell Capital LLC et al., Civil Action No. 3:26-CV-0743-D, United States District Court, Northern District of Texas, Dallas Division. Nothing in this publication constitutes legal advice.

That shouldn’t be a controversial statement, but somehow it gets lost in the mythology. We celebrate the entrepreneur — the risk-taker, the job creator, the backbone of the American economy. We talk about record business formations and the spirit of innovation. What we don’t talk about is that roughly half of small businesses fail within five years. Two-thirds don’t make it a decade. Behind every one of those statistics is a person who bet their savings, their time, their reputation, and often their family’s financial security on an idea — and lost.

Most of them didn’t fail because they weren’t smart enough or didn’t work hard enough. They failed because the system around them is extraordinarily good at extracting from them. The lender who charges 200% interest disguised as a “receivables purchase.” The vendor who buries a personal guarantee in a routine credit application. The court system that won’t let their LLC speak without a lawyer they can’t afford. The regulator who looks the other way because the paperwork says “not a loan.”

If you’re a small business owner, you know exactly what I’m talking about. And if you’ve ever been on the wrong end of a collections campaign — the daily calls, the weekly texts, the demands for money you may not even owe — you know the feeling I’m about to describe.

The weight

For seven months, my phone buzzed with texts from a collections agent at Cromwell Capital. Every few weeks, sometimes every few days. Always the same question, phrased a dozen different ways: When is the payoff coming?

Not “when can we reconcile your account against actual receivables” — which is what they’d ask if these transactions were what their contracts claimed them to be. Just: the payoff. The balance. When can you pay.

I knew, by the time these texts started, that the math didn’t work in their favor. I’d done the calculations. Under their own contracts, Cromwell was entitled to a specified percentage of actual receivables — 7% under the first agreement, 12% under the second. When you run those numbers against what the business actually collected, Cromwell’s entitlement was approximately $106,614. They’d already extracted $218,606. They weren’t owed $44,970 more. They owed us a refund of nearly $112,000.

I knew that. But knowing it didn’t make the phone stop ringing.

That’s the thing about collections pressure that people outside of it don’t fully understand. It’s not just about the money. It’s about the weight. Every text is a reminder that someone is coming for you. Every voicemail is another demand you have to decide whether to respond to, push back on, or absorb. Every notification on your phone carries a little charge of anxiety, even when you know — intellectually, legally, mathematically — that the person on the other end doesn’t have a leg to stand on.

The pressure is the product. It’s designed to keep you reactive, defensive, and compliant. To make you feel like the only way to make it stop is to pay whatever they’re asking, whether you owe it or not. And for most small business owners — people who are already stretched thin, already stressed, already juggling a dozen problems that are each individually overwhelming — it works. That’s why they do it.

The turn

Liberation didn’t happen in a single moment. It happened in stages.

The first stage was doing the math. Pulling the bank statements, reading the contracts, calculating what Cromwell was actually entitled to versus what they’d taken. That was the day the fear started to dissolve — because once you see the numbers, you can’t unsee them. Cromwell’s own agreements said they purchased a percentage of receivables. Their own conduct said they were running a loan. And under either framework, they’d been overpaid by six figures.

The second stage was filing the lawsuit. A few days ago, I filed a 59-page complaint in Florida state court laying out every argument, every calculation, every contractual provision, every text message. That was the day I decided to stop explaining and start litigating.

But filing isn’t the same as being heard. A lawsuit doesn’t mean anything until the other side knows about it. And that’s where things got interesting.

Cromwell Capital’s office address — the one on their Florida Secretary of State filing, updated just twenty days ago — turns out to be a UPS mailbox. A nice-sounding “suite,” but a UPS Store. Their filing doesn’t appear to have serviceable addresses for the people who need to be served. Think about that for a moment. A company that had no trouble locating my bank account to debit thousands of dollars every single week — that found my phone number, my email, and every other way to reach me when they wanted money — is suddenly hard to find when someone wants to hand them a legal complaint.

So today, as part of ongoing efforts to effectuate service under the law, I sent Cromwell the summons and complaint directly. Not as formal service — the rules govern that, and we’re continuing to work through proper channels. But as notice. I told them they’ve been sued. I asked them to confirm where service can be completed. And I sent them something else: a formal demand for our overpayment.

Not their demand to me. My demand to them. You owe us money. Here’s the math. Here are the contracts you drafted. Here are the numbers you never calculated.

And then I told them: don’t contact me anymore about payments. If you want to discuss this, you’ll hear my voice in court. That’s where we’ll settle it.

That’s liberation day.

What it isn’t

I want to be clear about what liberation day is not. It’s not the day I won. The lawsuit is filed, but it hasn’t been adjudicated. Cromwell hasn’t formally responded. There are months — possibly years — of litigation ahead. Nothing is resolved.

It’s not the day I stopped worrying. Filing a lawsuit creates its own set of anxieties. Service of process, procedural deadlines, the possibility that they countersue, the cost of fighting even when you’re right. I traded one kind of stress for another.

And it’s not the day the money came back. Cromwell has over $111,000 of overpayment that belongs to us, and they’re still demanding $44,970 more. That money isn’t recovered. It may never be recovered. I know that.

Liberation day is the day the dynamic shifted. The day I stopped being the person who receives demands and started being the person who makes them. The day their collections agent’s text messages stopped carrying any weight at all — because whatever Cromwell has to say, they can say it in a courtroom, on the record, in front of a judge. My phone is no longer part of this negotiation.

Why this matters beyond my case

If you’re a small business owner reading this, there’s a decent chance you’re carrying your own version of this weight right now. Maybe it’s an MCA company hounding you for payments on a “receivables purchase” that was never administered as one. Maybe it’s a vendor chasing a debt that’s legitimately disputed. Maybe it’s a client who owes you money and won’t pay, and you can’t afford to sue. Maybe it’s all three at once.

The feeling is the same regardless of the source: you’re trapped, you’re reactive, and you can’t see a way to the other side.

I’m not going to pretend I have all the answers. I had thirty years of finance experience when I walked into this, and it still took me months to fully understand what had happened and what my options were. Most small business owners don’t have that background, and the system is designed to exploit that gap.

But I can tell you what helped me get to the other side of that feeling — even though the fight is far from over.

Do the math. Whatever someone is demanding from you, pull the actual records and check. How much was advanced? How much have you paid back? What does the contract actually say about how payments are calculated? You might be surprised by what the numbers show. I was. The gap between what Cromwell claimed we owed and what the contract actually entitled them to was over $111,000. That number changed everything — not because it resolved anything on its own, but because it replaced fear with facts.

Read the contract. Not the summary someone gave you. Not what you think it says based on what the salesperson told you. The actual words on the page. Then compare those words to what’s actually happening. If the contract says payments are based on a percentage of receivables, but the company is debiting a fixed amount from your account every week regardless of what you actually collected — that’s a discrepancy. That discrepancy matters.

Listen to the language. When a collections agent uses the words “payoff” and “balance” and never mentions “receivables” or “specified percentage,” that tells you something. They’re treating this as a loan. If the contract says it isn’t a loan, then either the contract or the conduct is wrong — and that’s a problem for them, not for you.

Stop performing compliance. This is the hardest one. When someone is pressuring you, the natural instinct is to respond, to engage, to show good faith. And sometimes that’s the right call. But there comes a point where continued engagement isn’t good faith — it’s submission. If you’ve explained your position, if you’ve done the math, if you know where you stand, you don’t owe anyone unlimited access to your attention and your anxiety. The phone has a spam button. Use it.

Get help — or build it. If you can afford a lawyer, get one. If you can’t, you’re not alone — the vast majority of small businesses in collections disputes don’t have legal representation. But you’re not as powerless as the system wants you to believe. AI tools can help you research your rights, understand your contracts, and draft correspondence. They’re not a substitute for a lawyer, but they’re a lot better than nothing — and nothing is what most small business owners currently have.

The real liberation

Here’s what I’ve come to understand: the power these companies hold over small business owners is mostly illusory. It depends on the business owner not doing the math. It depends on them not reading the contract. It depends on them not knowing that a “future receivables purchase agreement” that demands fixed payments regardless of receivables is, in substance, a loan — and that if it’s a loan, the interest rate might be illegal. It depends on the business owner being too exhausted, too overwhelmed, and too afraid to push back.

The moment you do the math, the illusion breaks. It doesn’t make the fight easy. It doesn’t make the anxiety disappear. It doesn’t put money back in your account. But it changes who has the power in the conversation.

Cromwell had no trouble finding my bank account every week for thirteen months. They found my phone number. They found my email. But when it came time for them to be found — to receive a complaint, to answer for their conduct in court — suddenly there’s a UPS mailbox where an office should be, and addresses that don’t appear to work.

That asymmetry tells you everything you need to know about how the system operates. Easy to reach when they want your money. Hard to find when you want accountability.

Liberation day isn’t the day you win. It’s the day you stop letting someone else decide how your day starts. It’s the day you pick up the phone only when you choose to, not because someone else’s collection quota requires it. It’s the day you realize that the person texting you “any updates on the payoff?” has no more authority over you than the words on a contract they aren’t even following.

My liberation day was today. I hope this helps you find yours.

To see my other work, visit Extracted. An excerpt from “The Perfect Lap” captures the heart of what My Desert, my recently completed book, explores: the journey from striving to alignment, from performing to being present. The full book traces forty years of wandering through what I call the spiritual desert—learning to distinguish between the God we construct and the God who actually shows up. My Desert will be available this summer.

But there’s a side of the story we rarely discuss. We love to talk about business formation — the record number of new applications filed, the innovation, the job creation. What we don’t talk about is the other side of the ledger: roughly half of small businesses fail within five years, and approximately two-thirds don’t survive a decade. When a small business closes, those jobs don’t just move somewhere else. They disappear. The ripple effects — unpaid vendors, laid-off employees, drained personal savings, broken leases — are devastating and largely invisible in the data.

Why do small businesses fail? The reasons are varied, but two factors come up again and again: access to capital and capital discipline. A fundamentally sound business can fail because it can’t access working capital at the right time on fair terms. And a business with access to capital can fail if that capital comes at a cost so punishing that it drains the business faster than revenue can replenish it.

That second scenario — capital that destroys rather than sustains — is what I want to talk about. Because there is an entire industry built around providing small businesses with capital that is priced to extract, structured to obscure, and designed to shift every dollar of risk onto the business owner while the funder walks away whole. And the system that’s supposed to prevent this has been quietly dismantled over the past three decades.

I spent thirty years in institutional capital markets. I built and led commercial mortgage lending businesses and capital advisory platforms at a Fortune 200 company. I’ve signed thousands of financing documents, negotiated with some of the most sophisticated counterparties in the world, and structured transactions across every major asset class. I know how lending works — or at least I thought I did.

Then I invested in a small business.

What I discovered on the other side of the table — not as an institutional player, but as a small business owner looking for working capital — genuinely shocked me. Not because I was naive about finance, but because the world of small business funding operates by a completely different set of rules than anything I’d encountered in three decades of professional life. Rules that would be unrecognizable — and unacceptable — in any institutional context.

I’m writing this because I think most people, including most small business owners, don’t fully understand how we got here. The story isn’t just about bad actors. It’s about a structural shift in American banking that left millions of small businesses without access to fair capital — and created an enormous opportunity for those willing to extract maximum value from people with minimum options.

The banking consolidation nobody talks about

Here’s a number that should alarm anyone who cares about small business in America: in the mid-1990s, there were approximately 10,000 FDIC-insured institutions in the United States. As of the end of 2024, there were 4,487. We’ve lost more than half our banks in thirty years.

But the raw decline in the number of banks, as alarming as it is, isn’t even the most important part of the story. What matters more is where the assets went. In 1990, the five largest banks in America held roughly 10% of total commercial banking assets. Today, just four banks — JPMorgan Chase, Bank of America, Citigroup, and Wells Fargo — hold 43% of all commercial bank assets. The top ten banks control over 60%. The top twenty-five hold the equivalent of roughly 91% of total U.S. banking assets. That’s not consolidation. That’s concentration on a scale that would have been unimaginable a generation ago.

The banks that disappeared weren’t the big ones. They were community banks — and between 2012 and 2019 alone, the number of community banks dropped from 6,802 to 4,750. That decline has only continued since. The institutions vanishing from the landscape are the ones where a business owner could walk in, sit across from a loan officer who knew the business, knew the market, knew the owner’s family, and make a lending decision based on relationship and judgment — not an algorithm and a credit score.

And that gets to the real loss, which doesn’t show up in any FDIC data table: the disappearance of the community banker.

A small-town banker was, by necessity, a generalist. He lent to the dry cleaner, the grocery store, the real estate developer, and the farming operation — sometimes all in the same week. He understood people. He understood cash flow — not as a data input in a model, but as a lived reality that looked different for every business. He understood that the dry cleaner’s cash flow was seasonal, that the grocery store’s margins were razor-thin, that the farmer’s income arrived twice a year. He understood the local market — which neighborhoods were growing, which industries were struggling, which business owners had grit and which ones were in over their heads. He made lending decisions based on all of that knowledge, and he was right often enough that the system worked.

But the community banker wasn’t just a lender. He was, by necessity, an advisor. For most small businesses, he was the closest thing they had to a capital advisor or a CFO — someone who could help them think through whether to take on debt, when to expand, how to manage a cash flow crunch, when to pull back. These were businesses that couldn’t afford to hire McKinsey or a Wall Street advisory firm. The community banker filled that role — and in most cases, he did it with integrity, because his interests were aligned with the business owner’s. If the business failed, the bank lost money. If the business thrived, the banker had a customer for life. That alignment of interest was the invisible architecture that made the whole system work.

When we lost the community banker, we didn’t just lose a source of capital. We lost the advisor, the sounding board, the person who would tell a business owner “this deal doesn’t make sense for you” — and mean it. What replaced that relationship is a broker on the other end of a phone call who makes money only if the deal closes, regardless of whether it makes sense for the business.

As community banks have been absorbed into regional and national institutions, those generalists have been replaced by specialists — people who understand algorithms and data models, not businesses and business owners. When Bank of America or JPMorgan evaluates a small business loan application, it goes through automated underwriting. The business needs to fit a model. If it doesn’t fit — if the revenue is lumpy, if the industry is niche, if the business is young, if the owner’s personal credit took a hit during COVID — the application gets declined. Not because the business is bad, but because the model can’t capture what a community banker would see in person.

The community banker looked at a business that was temporarily cash-strapped but fundamentally sound and said: this is a good risk. The algorithm looks at the same business and says: declined. That’s the difference. And it’s not a small one — because every declined application pushes a business owner one step further down the capital ladder, toward options that are progressively more expensive, less transparent, and less fair.

So as community banks have been absorbed, merged, and consolidated into the handful of mega-institutions that now dominate American banking, the universe of lenders who actually understand and serve small businesses has contracted dramatically. The bankers who knew their borrowers retired or got absorbed into corporate structures where their judgment was replaced by credit models. The relationships disappeared.

What replaced them is worse than nothing.

The vacuum

When traditional bank lending contracts, small businesses don’t stop needing capital. They need it for payroll, for inventory, for equipment, for bridging the gap between completing a job and getting paid. These are fundamental, legitimate business needs. The capital has to come from somewhere.

For many small businesses, the first stop is credit cards. This is a staggering and underappreciated fact about American small business: a significant share of small business financing comes from personal and business credit cards carrying interest rates of 20% to 30% APR. Business owners are funding operations on their Visa cards — not because they’re unsophisticated, but because it’s the most accessible capital available to them after the bank says no.

Credit cards at 25% are expensive. But at least they’re regulated. At least the terms are disclosed. At least you know what you’re paying.

The next stop down the capital ladder is where it gets dangerous.

Enter the merchant cash advance

Over the past decade, an industry has exploded to fill the gap left by community banking’s decline: the merchant cash advance, or MCA. The concept sounds reasonable on its surface. A funding company “purchases” a percentage of your future receivables at a discount. You get capital today; they collect a share of your revenue tomorrow. If your revenue goes up, they collect more. If it goes down, they collect less. It’s not a loan — it’s a purchase of future revenue. No interest rate. No fixed payment schedule.

That’s the pitch. Here’s the reality.

In practice, many MCA companies operate exactly like lenders — but without any of the regulatory oversight, disclosure requirements, or usury limits that apply to actual lenders. They advance a fixed amount of money. They demand fixed weekly payments withdrawn directly from your bank account, regardless of your actual revenue. They require personal guarantees. They file UCC liens against your assets. They send “payoff” statements and demand “satisfaction of balance.” They employ collections agents who call about “the balance” and ask when you’ll complete “the payoff.”

Every single one of those behaviors is the behavior of a lender. But because the contract says “this is not a loan,” the entire regulatory framework designed to protect borrowers — usury caps, licensing requirements, disclosure rules — supposedly doesn’t apply.

The effective cost of this capital is breathtaking. Because MCA companies frame their pricing as a “factor rate” or a “purchased amount” rather than an interest rate, most small business owners have no idea what they’re actually paying in annualized terms. A typical MCA transaction that looks like a 1.4x factor rate — advance $100,000, pay back $140,000 — can translate to an effective annualized interest rate of 80%, 150%, 300%, or higher, depending on how quickly the payments are extracted. I’ve personally experienced effective annualized rates exceeding 600%.

To put that in context: Florida’s civil usury limit is 18% per annum. Its criminal usury threshold is 25%. The maximum rate on a credit card is typically 30%. And MCA companies are routinely extracting the equivalent of hundreds of percent annually from small businesses — legally, they claim, because “it’s not a loan.”

This isn’t just my assessment. In March 2024, the New York Attorney General filed a 289-page enforcement action against Yellowstone Capital and its network of affiliated entities — one of the largest MCA operations in the country — alleging systematic usury, fraud, and misrepresentation to courts. The AG’s investigation found that the “specified percentage” provisions in the contracts — the mechanism that supposedly ties payments to actual revenue and distinguishes these transactions from loans — were functionally meaningless. Payments were fixed. Durations were fixed. Reconciliation against actual receivables was discretionary, obstructed, or never performed. The AG alleged that the companies knew internally that they were making loans, marketed them as loans, administered them as loans, and then misrepresented them as receivables purchases to avoid usury laws and to deceive courts in collection proceedings. The effective interest rates, the AG alleged, vastly exceeded legal limits. The Yellowstone network operated through dozens of entity names and DBAs — a web of brands designed to obscure the scale and the common ownership behind them. It is a pattern that appears to repeat across the industry.

Why this happened

This isn’t an accident. The MCA industry exists because of a specific, identifiable market failure: the gap between what small businesses need and what regulated lenders will provide. Every community bank that gets absorbed into a regional or national institution widens that gap. Every credit model that replaces a relationship banker’s judgment narrows the pipeline of accessible capital. Every small business that gets declined by a bank becomes a potential MCA customer.

And the economics are extraordinary — for the funder. Advance $100,000, collect $150,000 or $200,000 over six months, file a personal guarantee against the owner, and move on to the next deal. If the business fails under the weight of the payments, that’s the owner’s problem. The funder already has the personal guarantee.

This is the opposite of how lending is supposed to work. In a healthy lending relationship, the lender’s interests are aligned with the borrower’s — the lender wants the borrower to succeed because that’s how the lender gets repaid. In the MCA model, the funder’s interests are extractive. Collect as much as possible, as quickly as possible. The structure is designed to maximize extraction, not to support the business.

The rise of private credit more broadly follows a similar pattern. As traditional lending institutions have pulled back from riskier or more complex credit — whether small business loans, bridge financing, or specialty lending — private credit has rushed in. Some private credit is sophisticated, well-structured, and fair. But at the lower end of the market, where small businesses operate, “private credit” too often means unregulated lending at extraordinary cost, dressed up in language designed to evade the rules that exist to protect borrowers.

What I learned the hard way

I came into small business ownership after decades in institutional finance. I was used to dealing with counterparties who honored their contracts, where terms meant what they said, and where regulatory frameworks kept everyone honest. I was used to signing things that were fair — and taking people at their word.

When I signed a “future receivables purchase agreement” that said it wasn’t a loan, that there was no interest rate, and that my personal guarantee covered only operational performance — I took those representations at face value. I’d spent a career in a world where contract language meant something.

What I discovered was that the words on the page bore no relationship to how the transaction was actually administered. Fixed weekly payments regardless of revenue. “Payoff” demands calculated by simple subtraction from a fixed balance. Collections agents who talked about “the balance” and “the payoff” without ever once mentioning receivables. An effective cost of capital that would constitute a criminal offense if the transaction were honestly labeled as what it was: a loan.

I have more knowledge of finance and capital markets than most small business owners. Thirty years of it. And it didn’t protect me — because the problem isn’t knowledge. The problem is that an entire industry has been built on the premise that if you call a loan something else, the rules don’t apply.

If it can happen to someone with my background, it can happen to anyone. And it is happening — to thousands of small business owners across the country, every day, while regulators look the other way because the paperwork says “not a loan.”

What needs to change

The fix isn’t complicated. It requires three things:

Disclosure. Every funding transaction with a small business should be required to disclose the effective annualized cost of capital — the APR — regardless of how the transaction is structured. If you’re advancing money and collecting more money back, the borrower deserves to know the true cost in terms they can compare to other options. The “it’s not a loan so we don’t have to tell you the interest rate” loophole needs to close.

Licensing. If you’re advancing capital to small businesses and collecting fixed payments from their bank accounts, you’re a lender. You should be licensed as one, supervised as one, and held to the same standards as one. The receivables purchase label shouldn’t be a regulatory escape hatch.

Enforcement. Usury laws exist for a reason. They exist because centuries of experience have shown that unregulated lending leads to extraction, exploitation, and economic destruction. When a company charges an effective rate of 200% or 600% and calls it “not interest,” regulators need the tools and the will to look through the label to the substance. But the New York Attorney General filed its complaint against major MCA participants nearly two years ago to the day – and those very same participants continue to extract the lifeblood of small business. Many other states have simply turned a blind eye.

Small businesses are the backbone of the American economy. They employ nearly half the private workforce. They deserve access to capital that is fairly priced, honestly disclosed, and properly regulated. Right now, too many of them are getting the opposite — and the system that’s supposed to protect them is looking the other way.

I’m going to keep writing about this. This is the first article in a series that will cover predatory lending, access to justice, regulatory failure, and the hidden traps in the fine print that small business owners sign every day. Future articles will document an active lawsuit against an MCA company — filed by a small business owner, pro se, in real time — and track regulatory complaints filed with government agencies. If you’re a small business owner who’s had an experience with an MCA company, I want to hear from you. If you’re a regulator, a legislator, or a journalist, I want to talk. The first step to fixing a problem is making sure people understand it exists.

To see my other work, visit Extracted. An excerpt from “The Perfect Lap” captures the heart of what My Desert, my recently completed book, explores: the journey from striving to alignment, from performing to being present. The full book traces forty years of wandering through what I call the spiritual desert—learning to distinguish between the God we construct and the God who actually shows up. My Desert will be available this summer.