Anatomy of One Pull
One ACH debit. One Tuesday morning. How many potential federal crimes can one transaction touch — and how many parties does it implicate?
DISCLOSURE: The author is a pro se plaintiff in a federal RICO action arising from a merchant cash advance transaction. This article examines the potential legal exposure created by a single ACH debit entry in a predatory MCA context. All claims are sourced from public records, federal statutes, the Nacha Operating Rules, and concluded enforcement actions. This analysis distinguishes between legitimate merchant cash advance transactions — real receivables purchases that flex with actual revenue — and predatory MCA lending, in which fixed payments are collected under variable-formula authorizations that are never applied, at effective interest rates that constitute criminal usury.
The Scene
It is a Tuesday morning. An ACH debit hits a small business checking account. The amount is the same as last week. And the week before. And every week for the past three months.
The debit is initiated by a merchant cash advance operator. The authorization on file references a “Future Receivables Purchase and Sale Agreement” and permits debits “up to” a specified ceiling “pursuant to” the agreement’s terms. The agreement defines the payment obligation through a Specified Percentage of the merchant’s actual receivables — a formula that, if applied, would produce a different amount each period based on what the business actually earned.
The formula was never applied. The amount never varied. The “good faith approximation” set at origination became the permanent collection amount. No reconciliation was performed. The effective annualized interest rate, calculable from the face of the agreement in approximately ninety seconds, exceeds 400%.
This is one debit. One entry. One line on a bank statement.
What follows is an examination of every party that touched this transaction — and the potential federal and state criminal statutes each one implicates.
I. The Originator — The MCA Operator
The originator initiates the debit. In this transaction, the originator is a merchant cash advance operator collecting under an agreement the New York Attorney General has established — across multiple enforcement actions — constitutes criminal usury when administered with fixed payments under a variable-formula authorization.
Criminal Usury — State Law
The effective annual interest rate on this transaction exceeds 400%. New York’s criminal usury threshold is 25% per annum (N.Y. Penal Law § 190.40). Florida’s criminal usury threshold is 25% (Fla. Stat. § 687.071). The rate on this transaction exceeds the usury ceiling of every state that has one. This is not a borderline case. The arithmetic is on page one of the agreement.
The NYAG’s Yellowstone investigation documented effective rates ranging from 250% to over 820% — with some exceeding 2,000% — across 87,180 agreements. Zero reconciliation refunds were issued. The “receivables purchase” label existed in every contract. It was never operationalized in any of them.
Wire Fraud — 18 U.S.C. § 1343
Each ACH debit is an interstate wire transmission. When that transmission is used to further a scheme to defraud — collecting money under an agreement that misrepresents itself as a receivables purchase while operating as a fixed loan — each transmission is a separate act of wire fraud.
The misrepresentation is not incidental to the transaction. It is the transaction. The entire legal architecture of the MCA — the avoidance of usury law, the avoidance of lending regulation, the avoidance of disclosure requirements — depends on the representation that this is a receivables purchase. When the agreement says “receivables purchase” and the operation says “fixed loan,” every collection made under that misrepresentation is wire fraud.
Collection of Unlawful Debt — 18 U.S.C. § 1962
Under RICO, the collection of an “unlawful debt” is a predicate act. An unlawful debt is defined under 18 U.S.C. § 1961(6) as a debt incurred in connection with the business of lending money at a rate usurious under state or federal law, where the usurious rate is at least twice the enforceable rate. At 400%+ against a 25% ceiling, the rate on this transaction exceeds the enforceable rate by a factor of sixteen. Every collection — every weekly or daily debit — is a separate predicate act.
Potential originator-level violations on this one pull: 3
II. The Third-Party Sender — The Processor
In many predatory MCA transactions, the originator does not have a direct relationship with the ODFI. Instead, a Third-Party Sender — a payment processor — aggregates MCA originators and manages their ACH activity through its own relationship with the ODFI. The TPS is the door through which the originator accesses the banking system.
A Critical Point: The Third Party Sender Shields No One
A common misconception — and a common defense — is that the presence of a Third-Party Sender between the originator and the ODFI creates distance that reduces the ODFI’s obligations. It does not. Under Nacha Operating Rules § 2.2.2, the ODFI is responsible for every originator that reaches the network through it, whether directly or through a Third-Party Sender. The ODFI’s § 2.4.1.6 warranty — that the amount is due and owing from the receiver to the originator — runs to the originator, not to the TPS. The TPS is not a party to the warranty. The warranty is a direct representation about the relationship between the MCA operator and the merchant. The TPS does not absorb, redirect, or diminish that obligation. It adds a layer of required compliance — its own independent BSA/KYC obligations — rather than excusing any.
Restacking the Originator’s Crimes
The TPS does not merely add its own violations to the chain. It restacks every originator-level crime by serving as the conduit through which those crimes reach the ACH network. Without the TPS, the originator cannot access the ODFI. Without the ODFI, the originator cannot access the ACH network. The TPS is the bridge — and every crime that crosses the bridge crossed through the TPS.
When a TPS transmits an ACH entry on behalf of a predatory MCA originator, it is facilitating:
Wire fraud — transmitting the interstate wire communication that effectuates the fraudulent collection
Money laundering — moving proceeds of unlawful activity (criminal usury) into the banking system through a financial institution
Collection of unlawful debt — enabling the collection of criminally usurious debt through the payment network
Independent BSA/KYC Failures
The TPS has its own obligations under the Bank Secrecy Act. FinCEN’s guidance on third-party payment processors (FIN-2012-A010) makes clear that processors have independent BSA/AML obligations, including customer due diligence on the originators they aggregate.
If the TPS onboarded this originator without adequate due diligence — without reviewing the agreement, without calculating the effective interest rate, without checking whether the originator’s principals have regulatory histories (such as a permanent FINRA bar) — the TPS failed its own compliance obligations before transmitting entry one.
After the NYAG’s Yellowstone enforcement action, the FTC’s actions against Richmond Capital Group and RAM Capital Funding, and the New Jersey AG’s settlement — all public, all documented, all naming the predatory MCA pattern — the TPS has constructive knowledge that the pattern it is facilitating has been proven to represent criminal conduct. The “reason to suspect” standard under § 5318(g) is satisfied not by knowledge of this particular originator, but by knowledge that this pattern has been publicly established as criminal.
Potential TPS-level violations on this one pull: 4-5 (facilitating wire fraud, facilitating money laundering, facilitating collection of unlawful debt, independent BSA/KYC failure, SAR failure)
III. The ODFI — The Originator’s Bank
The ODFI transmits the entry into the ACH network. In doing so, it places its unconditional warranty behind the transaction — warranting, among other things, that the amount debited is “due and owing” from the receiver to the originator. This is the institution whose federal charter, FDIC insurance, and Federal Reserve access make the entire transaction possible.
False Warranty — Nacha Operating Rules § 2.4.1.6
The ODFI’s due and owing warranty is false on this entry. As detailed in the companion article “Stand The Post,” the warranty fails across five independent prongs:
The arithmetic. The amount debited was never calculated under the agreement’s operative formula. A “good faith approximation” that was never reconciled is not a fixed and settled obligation.
Legal validity. A criminally usurious obligation is void or unenforceable in every U.S. jurisdiction. An amount calculated under a void obligation cannot be “due and owing.”
Payee entitlement. An entity collecting under a criminal usury scheme is not legally entitled to receive payment. The amount cannot be “due and owing” to a party the law prohibits from collecting it.
KYC/BSA. The warranty runs “to the Originator from the Receiver.” That directional specificity requires the ODFI to know who the originator is. If the ODFI has not performed adequate Customer Due Diligence on the originator — has not verified its legitimacy, its principals, its regulatory history — the warranty is hollow.
Unconditional. The warranty contains no knowledge carveout, no good-faith exception, no materiality threshold. The ODFI did not warrant that it believed the amount was due and owing. It warranted that it is.
The warranty was false. On every prong. On this entry and on every entry before it.
BSA/AML Program Failure — 31 U.S.C. § 5318(h)
The Bank Secrecy Act requires every financial institution to maintain an anti-money laundering program with internal policies, procedures, and controls reasonably designed to detect suspicious activity. The program must account for known typologies.
The predatory MCA pattern — identical fixed debits, daily or weekly, same originator, same receiver, under a variable-formula authorization — is a known typology. It has been established as such through six separate enforcement actions across three agencies over three years. If the ODFI’s AML program is not configured to flag this pattern, the program does not meet the BSA’s “reasonably designed” standard.
SAR Failure — 31 U.S.C. § 5318(g)
Financial institutions must file Suspicious Activity Reports when they know, suspect, or have reason to suspect that a transaction involves funds derived from illegal activity or is designed to evade reporting requirements. After the enforcement timeline documented below, every ODFI in the country has “reason to suspect” that the predatory MCA pattern represents criminal conduct. If no SAR was filed on this entry or the pattern of entries preceding it, the ODFI failed its mandatory reporting obligation.
Willful BSA Violation — 31 U.S.C. § 5322
Willful failure to maintain an adequate AML program or to file required SARs is a federal crime carrying penalties of up to ten years imprisonment and fines of up to $500,000 per violation. Federal prosecutors have demonstrated — through TD Bank ($3 billion, 2024), Rabobank ($369 million, 2018), and USAA FSB ($140 million, 2023) — that systematic BSA monitoring failures are treated as criminal matters when the pattern is sustained and the volume is significant.
The predatory MCA origination pattern is more mechanically visible than most SAR triggers. It requires only arithmetic to identify. If the ODFI’s monitoring system is not configured to flag it, that is not an oversight. It is a design choice.
Money Laundering — 18 U.S.C. § 1956 / § 1957
The ODFI’s routing number and warranty do not merely facilitate the collection. They transform the legal character of the proceeds. Each ACH entry bearing the ODFI’s routing number carries into the mainstream financial system an unconditional institutional representation that the transaction is legitimate. When the underlying obligation is criminal usury, the ODFI’s warranty converts the proceeds of an unlawful debt into institutionally certified, Fed-settled credits. That conversion is the laundering.
Under § 1957, receiving or transmitting proceeds of specified unlawful activity through a financial institution in amounts exceeding $10,000 is a federal crime. Under § 1956, conducting a financial transaction involving proceeds of specified unlawful activity to promote that activity or conceal its origins is money laundering — carrying up to twenty years imprisonment.
KYC/Customer Due Diligence Failure
The ODFI’s origination relationship with the MCA operator is a customer relationship subject to BSA’s Customer Due Diligence requirements. If the originator’s principal has a publicly searchable regulatory history — such as a permanent FINRA bar, discoverable in thirty seconds on BrokerCheck — and the ODFI did not identify it, the ODFI failed its CDD obligations before transmitting entry one.
The “We Are Just a Processor” Defense
The ODFI’s anticipated response to everything above is some version of: “We are just a processor. We move money. We didn’t originate the loan. We didn’t set the interest rate. We didn’t draft the agreement. We are not the criminal actor here.”
This defense fails on the ODFI’s own terms — and under the ODFI’s own rules.
The ODFI is not “just” anything. It is a federally chartered, federally supervised, FDIC-insured institution that voluntarily accepted participation in the ACH network and, in doing so, accepted the unconditional warranty obligations that participation requires. It warranted — not suggested, not estimated, not approximated — that the amount in this debit is due and owing. It made that warranty without condition. It made it on every entry. And it made it as a representation to every other institution in the settlement chain.
A bank that places its unconditional warranty behind a transaction is not a passive processor. It is an active certifier. The warranty is the bank’s institutional endorsement — transmitted through the Federal Reserve — that this transaction is legitimate. When it is not legitimate, the warranty is not an administrative formality. It is a false certification by a regulated institution.
The companion article “Stand The Post” addresses this defense in comprehensive detail, including the State A / State B compliance binary that eliminates the middle ground: the ODFI either read the agreement and knew, or didn’t read it and warranted blindly. Both states produce the same legal conclusion.
Potential ODFI-level violations on this one pull: 6-7 (false warranty, BSA/AML program failure, SAR failure, willful BSA violation, money laundering under § 1956, money laundering under § 1957, KYC/CDD failure)
IV. Nacha — The Governance Layer
Nacha is not a direct party to this transaction. It does not process entries, does not hold accounts, and does not transmit funds. But Nacha occupies a unique position in the architecture — and that position creates unique exposure.
Revenue from the Transaction
Nacha collects a per-entry fee on every ACH transaction its network processes. This entry generated revenue for Nacha. The entries that generate those fees could not have been originated if the rules those fees fund were actually enforced. The revenue and the enforcement obligation are in structural conflict.
Federal Incorporation by Reference
Nacha’s rules are not merely private trade association guidelines. They are incorporated by reference into 31 C.F.R. Part 210, governing federal government ACH transactions. The OCC, FDIC, Federal Reserve, and FinCEN have each incorporated Nacha’s framework into their examination guidance. Nacha did not accept this incorporation passively — it participated in the rulemaking processes through which its rules were adopted as the federal standard.
When an organization actively participates in making its rules the federal regulatory standard, derives revenue from every transaction those rules govern, and publicly claims enforcement authority through its CEO — and then declines to act on documented knowledge that criminal activity is riding its network at scale — the question is no longer limited to governance failure.
Potential Exposure
The combination of knowledge (six public enforcement actions documenting the pattern), authority (self-described governor and enforcer), revenue (per-entry fees on every predatory MCA debit), and inaction (eleven minutes, one sentence, “guidance and education”) creates potential exposure under:
Aiding and abetting (18 U.S.C. § 2) — facilitating ongoing criminal activity through deliberate inaction while deriving revenue from its continuation
Misprision of felony (18 U.S.C. § 4) — having knowledge of federal felonies occurring through its network and failing to report or act on that knowledge
This is not an assertion that Nacha committed a crime. It is an identification of exposure that the combination of knowledge, authority, revenue, and inaction creates — exposure that Nacha’s own CEO invited when she described herself as the governor and enforcer of the ACH network.
Potential Nacha-level exposure on this one pull: 2-3
V. The RDFI — The Small Business’s Bank
The RDFI receives the debit entry and posts it to the merchant’s account. The RDFI is the merchant’s bank — the institution that holds the account being debited.
BSA/AML Monitoring Obligations
The RDFI has its own BSA obligations. A pattern of identical debits — same amount, daily or weekly, draining a business account — should trigger transaction monitoring alerts. The RDFI may not know the details of the underlying MCA agreement, but the pattern on the face of the account is visible: recurring fixed debits of the same amount from the same originator, increasing in frequency or eroding the account balance to near zero on a recurring basis.
If the RDFI’s monitoring system is configured to flag unusual debit patterns on business accounts — as BSA requires — this pattern should surface. If it does not surface, the question is the same one asked of the ODFI: is the monitoring system inadequate, or is its output being disregarded?
Failure to Exercise Return Rights
Nacha’s rules give the RDFI the right to return an unauthorized ACH debit to the ODFI — typically within two banking days for business accounts via the R29 return code. This right is permissive, not mandatory. But when a merchant reports that the debits are unauthorized, or when the pattern itself raises flags the RDFI should be investigating, the failure to exercise the return right becomes part of the structural problem.
In at least one documented case, an ODFI responded to a proof-of-authorization request by stating it was “waiting for proof or permission to return” — from the originator. The bank that warranted the debit was legitimate was asking the party that collected the money whether it was permissible to give it back. The return mechanism, as practiced, conditions the merchant’s remedy on the originator’s consent.
Potential RDFI-level violations on this one pull: 2-3 (BSA monitoring failure, SAR failure, failure to exercise return rights)
VI. When “Reason to Suspect” Became Undeniable — The Enforcement Timeline
The BSA’s SAR filing obligation is triggered when a financial institution “knows, suspects, or has reason to suspect” that a transaction involves funds derived from illegal activity. The question for every institution in this chain is: when did you have reason to suspect?
The answer is not a single date. It is a timeline of public enforcement actions — each one naming the predatory MCA pattern, each one documented in the public record, each one adding to the constructive knowledge that every institution in the ACH chain now carries.
January 2022 — FTC v. RAM Capital Funding (Tzvi Reich) Permanent ban from MCA and debt collection industries. Unauthorized withdrawals. Seizure of personal and business assets. Threats of physical violence against small business owners. $675,000 settlement.
June 2022 — FTC v. Richmond Capital Group (Robert Giardina) Permanent ban from MCA and debt collection industries. Deceptive practices since at least 2015. Misrepresentation of terms. Unauthorized withdrawals. $2.7 million restitution.
December 2022 — New Jersey AG v. Yellowstone Capital LLC $27.375 million settlement. Predatory lending disguised as cash advances. Forgiveness of $21.7 million in outstanding balances. Operational reforms required.
September 2023 — NY AG v. Richmond Capital Group $77.3 million judgment. Interest rates up to 4,000% annualized — 250 times the legal limit. Required to stop collecting on outstanding debt.
February 2024 — FTC v. Jonathan Braun / RCG Advances $20.3 million judgment. Permanent industry ban. Threats of physical violence. Deceptive practices. Unauthorized withdrawals.
March 2024 — NY AG v. Yellowstone Capital LLC et al. $1.065 billion. 18,000+ small businesses. 87,180 agreements. Zero reconciliations. Effective interest rates up to 820%, some exceeding 2,000%. Confessions of judgment used to freeze merchant accounts without notice or hearing. The largest state enforcement action against predatory lending in history.
Six enforcement actions. Three agencies. Three years. Each one public. Each one naming the predatory MCA pattern. Each one establishing — through investigation, testimony, and transactional data — that fixed-payment MCA debits under variable-formula authorizations represent criminal usury.
After January 2022, an ODFI had reason to suspect. After December 2022, the reason was documented across two agencies. After March 2024, the reason was proven at a scale that admits no ambiguity — $1.065 billion, 87,180 agreements, zero reconciliations.
The ACH debit that hit the small business account this Tuesday morning — the one entry this article examines — was originated after every one of these enforcement actions. Every institution in the chain had constructive knowledge of what this pattern represents. The “reason to suspect” standard is not a question. It is a documented fact.
VII. The Count
One ACH debit. One Tuesday morning. One line on a bank statement.
At the originator level: Criminal usury. Wire fraud. Collection of unlawful debt. 3 potential violations.
At the Third-Party Sender level: Facilitating wire fraud. Facilitating money laundering. Facilitating collection of unlawful debt. Independent BSA/KYC failure. SAR failure. 4-5 potential violations.
At the ODFI level: False warranty. BSA/AML program failure. SAR failure. Willful BSA violation. Money laundering (§ 1956). Money laundering (§ 1957). KYC/CDD failure. 6-7 potential violations.
At the Nacha governance level: Aiding and abetting. Misprision of felony. 2-3 potential exposure areas.
At the RDFI level: BSA monitoring failure. SAR failure. Failure to exercise return rights. 2-3 potential violations.
Total: approximately 17-21 potential violations across five parties — on one transaction.
And every party in the chain was compensated for its role. The originator collected the debit. The TPS collected a processing fee. The ODFI collected an origination fee. Nacha collected a per-entry fee. The RDFI collected an account fee. Everyone in the chain got paid.
The only party that lost money is the small business owner.
VIII. The Multiplier
This transaction does not happen once. It happens daily or weekly — 52 to 260 times per year per merchant. Each occurrence is a separate transaction. Each one carries its own set of potential violations. Each one generates its own fees for every institution in the chain.
Under RICO, each collection of unlawful debt is a separate predicate act. Each wire fraud is a separate predicate act. The statute requires a “pattern of racketeering activity” — defined as at least two predicate acts within ten years. A single predatory MCA agreement can produce fifty-two predicate acts in its first year alone.
And this is one merchant. The NYAG documented 18,000+ victims across the Yellowstone network alone. The FTC documented additional victims across the Richmond Capital and RAM Capital networks. The industry deploys billions annually. The number of ACH entries fitting this pattern — across all originators, all ODFIs, all processors — is not in the thousands. It is in the millions.
Each one carried a warranty. Each one generated a fee. Each one was processed without question.
IX. The Close
It is still Tuesday morning. The debit has settled. The small business owner’s account is lighter by the same amount it was lighter last week, and the week before, and every week for months. The originator has been paid. The processor has been paid. The ODFI has been paid. Nacha has been paid. The RDFI has been paid.
Seventeen to twenty-one potential violations. Five parties. One second.
Multiply this one Tuesday morning across the industry — thousands of originators, millions of transactions, billions of dollars — and the number of potential criminal acts flowing through our nation’s ACH network is staggering. All warranted. All fee-generating. All processed without question.
We have asked Nacha a number of questions through this publication. Seven in detail. Two simple ones that remain unanswered. Now a third:
What did Nacha know about the predatory MCA pattern flowing through the ACH network — and when did Nacha know it?
Because the enforcement timeline above establishes that the pattern was publicly documented starting in January 2022. Nacha’s own rules were the framework every one of those transactions rode through. Nacha’s own per-entry fees were collected on every one of those transactions. And Nacha’s own CEO described herself as the governor and enforcer of the network those transactions traveled.
If the rules already prohibit this — if the laws already criminalize it — if the pattern is visible on the face of any bank statement and requires only arithmetic to identify — why is it still happening?
The human cost is staggering. And it’s still happening.
To see my other work, visit Extracted. An excerpt from “The Perfect Lap” captures the heart of what My Desert, my recently completed book, explores: the journey from striving to alignment, from performing to being present. The full book traces forty years of wandering through what I call the spiritual desert—learning to distinguish between the God we construct and the God who actually shows up. My Desert will be available this summer.