Stand The Post

Nacha’s response to seven questions — what it says, what it omits, and what it confirms about who is standing watch over an $86 trillion network

Apr 23, 2026

DISCLOSURE: The author is a pro se plaintiff in a federal RICO action arising from merchant cash advance transactions. This companion article addresses Nacha’s response to seven questions submitted to CEO Jane Larimer prior to publication of “The Enforcer, the Fence, and the Keeper.” All claims are sourced from public records, Nacha’s own published statements and rules, the Nacha Operating Rules, federal regulations, and the New York Attorney General’s Verified Petition in People of the State of New York v. Yellowstone Capital LLC et al. Nacha’s response is reproduced in full.

Standing the post means one thing: you don’t leave. You hold your position, you maintain watch, and you do not abandon the duty you were assigned — regardless of whether anyone is checking. Every institution in the ACH network has a post. Nacha described its own as governance, risk management, and rules enforcement. The ODFIs accepted theirs when they signed the operating rules and began warranting every entry they originated. This article examines whether anyone is standing watch.

This is a companion to The Enforcer, the Fence, and the Keeper, which argued that Nacha has built a governance structure in which banks simultaneously function as the enforcer that makes predatory MCA extraction irresistible, the fence that launders unlawful loan proceeds into the mainstream financial system, and the keeper that blocks or delays their return. That article submitted seven specific questions to CEO Jane Larimer. Nacha’s communications department responded with four paragraphs that did not answer any of them.

This article does three things. First, it examines each of Nacha’s four substantive claims — what each says, what each omits, and what each confirms. Second, it maps Nacha’s response against the seven questions actually asked, identifying precisely what was answered, what was partially addressed, and what was ignored entirely. Third, it presents the evidence — now part of the public record through a concluded state enforcement action — that establishes what Nacha’s ODFI members are required to do under the Bank Secrecy Act when they encounter the fixed-payment MCA pattern flowing through their ACH origination infrastructure.

A word before the analysis begins. It is highly likely I am not 100% correct in this analysis — nor would I dare suggest I could be. But here is what I do know. There is a pattern. It is a clear pattern. And often, that pattern is a signal of criminal activity. That much is not my opinion — it is proven, by the New York Attorney General. The question is not whether I am 100% right. The question is whether our regulated financial institutions, and Nacha, can avoid asking the far easier questions in the normal conduct of their business.

NACHA’S COMPLETE RESPONSE — REPRODUCED IN FULL

Received from Nacha’s communications department in response to seven questions submitted to CEO Jane Larimer prior to publication. Reproduced without editing or omission.

Nacha’s role is to set and maintain the Operating Rules that support consistent and efficient ACH payment processing within an interbank payment system. Nacha also provides guidance and education to help participants understand their roles within the ACH Network. Nacha does not process any ACH payments and does not have access to information about individual payments.

Please note, however, that there are a number of incorrect assertions and conclusions in your draft.

The Nacha Operating Rules are the foundation for every ACH payment. The Rules define the roles and responsibilities of financial institutions and establish clear guidelines for each ACH Network participant. Under the Nacha Rules, the warranty made by the ODFI that the payment is authorized does not further apply to the nature of the goods or services for which payment is being made.

Nacha’s enforcement role is intended to promote Rules compliance by financial institutions. It is distinct from the statutory authority exercised by regulators, law enforcement or courts. Nacha does not resolve commercial disputes between parties making and receiving payments.

The Nacha Rules permit a receiving bank to return an unauthorized ACH payment to the originating bank, typically within two banking days when an unauthorized payment posts to a business account. Although the incidence of unauthorized ACH payments is very low, Nacha recommends that businesses monitor account activity at least daily and consider using bank-offered services — such as debit blocks and positive pay — to help prevent unauthorized payments.

This response did not answer any of the seven questions submitted to Ms. Larimer. It identified no specific inaccuracy in the article. It did not mention the due and owing warranty. It did not address federal incorporation of Nacha’s rules. It did not acknowledge its CEO’s public characterization of Nacha as the network’s governor and enforcement authority. And it offered a remedy — the debit block — that the MCA agreement converts into a contractual default event.

What follows is a precise examination of each claim.

Claim 1: Nacha’s Role Is Rule-Writing and Education

What Nacha’s CEO Said Publicly — On The Record

Nacha’s description of its role conflicts with its own CEO’s public characterizations, made on the record, in documented interviews available to anyone with an internet connection.

In October 2024, on the Currency Research Podcast, Jane Larimer stated: “Nacha is the governor of the ACH network in the United States. That means we write the rules, the standards, we have risk functionality and also run the enforcement of the rules as well.”

In an earlier interview she stated: “I am responsible for the ACH network rules, the risk management and rules enforcement.”

Nacha’s response to this publication describes a rule-writing and education function. Ms. Larimer’s public statements describe governance, risk management, and enforcement — the operational vocabulary of a regulatory authority. The discrepancy between what Nacha told this publication and what its CEO says publicly is not a matter of emphasis. It is a difference in institutional identity. When a CEO publicly claims enforcement authority and the organization’s formal response describes only education and guidance, one of those characterizations is inaccurate — and both are on the record.

What Nacha Did Not Disclose: Federal Incorporation

Nacha’s response omitted a fact that materially changes the legal character of the role it described. Nacha’s rules are not merely a private trade association’s internal standards. They have been incorporated by reference into federal regulation through 31 C.F.R. Part 210, which governs federal government ACH transactions. The OCC, the FDIC, the Federal Reserve, and FinCEN have each incorporated Nacha’s framework into their examination guidance for financial institutions.

The federal government does not transcribe the rules of a rule-writing and education body into the Code of Federal Regulations as an operative compliance standard. Federal incorporation means that when a federal banking examiner assesses an ODFI’s ACH compliance, the standard applied is Nacha’s rules. The examiner does not assess whether Nacha’s rules are adequate. That question — the antecedent question — is never asked, because the federal examination framework has already accepted Nacha’s answer.

This is not an abstract legal point. It means that any gap in Nacha’s rules — any pattern of predatory origination that Nacha’s framework does not flag, any monitoring obligation it does not impose — is a gap in the federal regulatory standard. Nacha’s response described a modest institutional role. Federal incorporation assigns a substantially different one.

What Nacha Did Not Disclose: Its Own Active Participation in Federal Incorporation

Nacha did not accept federal incorporation passively. It participated in the rulemaking processes through which its rules were incorporated into federal regulation. It submitted comments. It engaged with the agencies. It supported the outcome. An organization that participates in federal rulemaking processes to support incorporation of its rules into federal regulation is not a passive beneficiary of someone else’s decision. It is an active participant in the construction of the regulatory framework.

Nacha cannot accept the authority that federal incorporation confers and simultaneously disclaim the accountability that authority demands. If Nacha’s rules are the standard by which federal examiners assess ODFI compliance, then Nacha’s adequacy as a rule-writer is a federal regulatory question — and Nacha’s response to this publication, which described only guidance and education, did not account for that.

The “Incorrect Assertions” Claim

Nacha’s response states: “Please note, however, that there are a number of incorrect assertions and conclusions in your draft.” It identified none of them specifically. This is a standard litigation-adjacent hedge — putting the word “incorrect” on the record without bearing the burden of identifying what is wrong and why. It is the institutional equivalent of saying “I disagree” without saying with what.

This article invited Nacha to identify specific inaccuracies. The offer remains open. If Nacha identifies a specific factual error in any published claim, this publication will issue a correction, attribute the correction to Nacha, and publish Nacha’s explanation of the error in full. That commitment is unconditional. But the word “incorrect,” standing alone and unspecified, is not a rebuttal. It is a placeholder for one.

What Claim 1 Did and Did Not Address

Question 1 asked whether Nacha’s network compliance function identified the fixed-payment MCA origination pattern during the period the NYAG documented over $1 billion in collections through the ACH network. Nacha’s response did not address this. It stated that Nacha “does not have access to information about individual payments.” But Question 1 did not ask about individual payments. It asked about origination patterns — the kind of systemic monitoring that Nacha’s own CEO described as “risk functionality.”

Question 4 asked whether Nacha believes it has obligations commensurate with federal incorporation of its rules. Nacha’s response did not mention federal incorporation at all.

Claim 2: The Authorization Warranty and the Goods and Services Carveout

This is the most carefully constructed paragraph in Nacha’s response. It contains a partial truth deployed to avoid a complete answer. The sentence about the goods and services carveout answers a question the article did not ask — and in doing so, draws attention away from the warranty provision the article did ask about, which Nacha’s response did not mention at all.

Level One: Nacha Quoted One Warranty and Omitted the Other

Nacha Operating Rule § 2.4.1 contains multiple distinct and independent ODFI warranty obligations. Nacha’s response addressed the authorization warranty and its goods and services carveout under § 2.4.3. This carveout is real: Nacha’s rules do not require the ODFI to adjudicate commercial disputes about the nature of the underlying goods or services.

But that is not the warranty the article raised.

§ 2.4.1.6 — the due and owing warranty — was not mentioned in Nacha’s response. Not once. This is the warranty that requires the ODFI to warrant that the specific dollar amount debited in each ACH entry is actually due and owing from the receiver to the originator. “Due and owing” is not a single condition. It is a chain of independent requirements, each of which must be satisfied, and each of which fails independently in the predatory MCA context.

First: the arithmetic. Was the amount debited the amount actually calculated under the agreement’s operative formula? In the fixed-payment MCA, the answer is no. The Specified Percentage was never applied to actual receivables. The “good faith approximation” was never reconciled. The fixed amount collected bears no demonstrated relationship to what the formula would produce. The NYAG established this across 87,180 agreements with zero reconciliation refunds. The amount is not “owing” under the agreement’s own terms because the formula that determines what is owing was never applied.

Second: the legal validity of the underlying obligation. “Due and owing” implies not just that a number was calculated, but that the obligation to pay that number is legally enforceable. A usurious loan is void or voidable in virtually every U.S. jurisdiction. Every state imposes some form of usury ceiling — civil, criminal, or both. New York’s criminal usury ceiling is 25% per annum. But this is not a New York-specific argument. The effective annual interest rates the NYAG documented — regularly in the triple digits, reaching 820% — exceed the usury ceiling in every state that has one. No U.S. jurisdiction treats an 820% annual interest rate as a legally enforceable lending obligation. No U.S. jurisdiction treats a 250% annual interest rate as one. The question of which state’s law applies to a particular transaction affects the precise ceiling. It does not affect the conclusion. An obligation carrying an effective interest rate of several hundred percent per annum is unenforceable as a matter of lending law in every state, regardless of whether that state’s statute calls it “criminal usury,” “civil usury,” or “unconscionable lending.” If the transaction is a loan — and the NYAG petition established through the respondents’ own admissions that it is — then the obligation under which these amounts are collected is void or unenforceable. An amount calculated under a void obligation cannot be “due and owing.” The ODFI is warranting that a legally unenforceable amount is owed.

Third: the payee’s legal entitlement to receive payment. Even if the arithmetic were correct and the obligation were legally valid, the party seeking payment must be legally authorized to be paid. This is the principle that operates in OFAC sanctions — the contract may be valid, the calculation may be correct, but the payment itself is impermissible because the payee is not legally entitled to receive it. In the predatory MCA context, an entity collecting payments under what has been established as a criminal usury scheme is not legally entitled to receive those payments. The illegality attaches to the receipt of funds, not merely to the contractual obligation. An amount cannot be “due and owing” to a party that is not legally authorized to be paid.

Fourth: the warranty is a BSA/KYC warranty. The due and owing warranty does not say “an amount is owed.” It says a specific amount is due and owing from the receiver to the originator. That directional specificity — to the originator — is doing enormous work. To warrant that funds are owed to a particular party, the warranting institution necessarily represents that it has sufficient knowledge of that party to make the warranty meaningful. The ODFI cannot credibly warrant that money is due and owing to an entity it has not identified, has not vetted, and has not assessed for the legitimacy of the transactions it is conducting through the ODFI’s origination infrastructure. That is not an inference from the warranty language. That is what Know Your Customer requirements exist to establish — the identity, legitimacy, and risk profile of the parties a regulated institution does business with. The ODFI’s origination relationship with the MCA operator is a customer relationship subject to BSA’s Customer Due Diligence requirements. The due and owing warranty is the point in the ACH framework where that obligation becomes operative, because the warranty is the moment the ODFI puts its institutional credibility behind the statement that this originator is entitled to receive this payment from this receiver. An unconditional warranty of entitlement, made by a regulated institution to other regulated institutions that rely on it, carries with it a necessary representation that the warranting institution has performed the diligence its regulatory obligations require. The RDFI processes the debit because the ODFI warranted it was due and owing. That reliance is only reasonable if the warranty is backed by actual diligence on the party to whom the funds are warranted as owed. If the ODFI has not performed adequate KYC on the originator — if it does not know whether the originator is conducting a legitimate receivables purchase or a criminal usury operation — then the warranty is hollow, and every institution in the chain that relied on it was relying on a representation the ODFI did not have the information to make.

Fifth: the warranty blankets the entire chain. The ODFI does not warrant one of these conditions. It warrants all of them — unconditionally, for every entry it originates. The warranty under § 2.4.1.6 runs through the chain from originator to Third-Party Sender to ODFI to the network. It is not qualified by “to the best of the ODFI’s knowledge” or “based on the originator’s representations.” It is an unconditional warranty that the amount is due and owing. If any prong fails — wrong arithmetic, void obligation, impermissible payee, inadequate diligence on the originator’s identity and legitimacy — the warranty is breached.

Nacha’s response answered a question the article did not ask — whether the goods and services carveout applies — and left unanswered the question the article did ask: how does the ODFI satisfy its due and owing warranty across all five of these conditions when the authorization is made “pursuant to” an agreement whose operative formula was never applied, whose underlying obligation may be void, whose originator may not be legally entitled to receive the funds, and whose originator’s legitimacy the ODFI may never have assessed with the diligence its own regulatory obligations require?

Level Two: Even the Authorization Warranty Nacha Did Address Fails on the Face of the Documents

Nacha’s response implied that the authorization warranty was satisfied — that the ODFI had a valid authorization for the ACH entries in question. The authorization form in a typical predatory MCA transaction tells a different story.

A representative ACH Authorization Form — the kind appended to a standard MCA Future Receivables Purchase and Sale Agreement — contains language substantially similar to the following:

“Pursuant to that certain FUTURE RECEIVABLES PURCHASE AND SALE AGREEMENT dated [date] between Purchaser and Seller (the ‘Agreement’), Seller hereby authorizes Purchaser to initiate ACH debit entries to Seller’s account… in an amount of up to [dollar amount]…”

Two phrases in that sentence are dispositive and inseparable.

“Pursuant to.” The authorization is not freestanding. It is expressly conditioned on and bounded by the Agreement it references. The Agreement defines what is owed. The authorization permits collection of what the Agreement says is owed — not more, not less, and not something different.

“Up to.” The authorization does not authorize a fixed amount. It authorizes debits up to a ceiling. “Up to” is a cap, not a floor. It means the actual amount debited must be determined by something else — and the only “something else” is the operative payment formula in the Agreement the authorization is made pursuant to.

The analogy: if someone hands you one page of a twelve-page contract that says you owe $1 million, without the other eleven pages that explain that you owe $1 million only if your revenue exceeded $10 million, the one page does not establish what is owed. It establishes a framework for determining what is owed. The authorization form in a predatory MCA transaction functions identically.

Level Three: What the Agreement — Incorporated by Reference — Establishes as Actually Due

The Agreement the authorization is made “pursuant to” defines the operative payment obligation through a specified percentage formula. In a representative MCA agreement, the initial remittance amount is described as “a good faith approximation of the Specified Percentage of Seller’s Future Receivables.”

An approximation is not a determined amount. It is not a fixed entitlement. It is — by the Agreement’s own operative definition — a preliminary estimate that the Agreement’s formula is designed to correct through the reconciliation mechanism. The amount actually due under the Agreement is the Specified Percentage of actual receivables, calculated and reconciled.

The NYAG’s investigation documented what happens in practice. The Yellowstone network entered into approximately 87,180 MCA agreements before January 2020. Across all 87,180 agreements, the number of reconciliation refunds issued was zero. The Specified Percentage formula existed in every contract. It was never applied. The “good faith approximation” was never reconciled. The fixed amount was collected without reference to actual revenue — which means the authorization form’s “pursuant to” language pointed to a formula that was never calculated, making the specific dollar amount collected in each ACH entry unsupported by the operative payment mechanism the authorization incorporated.

Level Four: The Incorporation Clause — and Its Asymmetry

MCA agreements typically contain an incorporation provision requiring the merchant to acknowledge that ACH entries must comply with applicable ACH rules, including the Nacha Operating Rules. This provision binds the merchant to Nacha’s rules. Two observations follow.

First, the provision does not limit the originator’s obligations or the ODFI’s obligations. It cannot. The ODFI’s warranty obligations arise independently under Nacha’s Operating Rules by virtue of the ODFI’s participation in the ACH network. The originator is independently bound as a Nacha Originator by virtue of its ACH origination relationship with the ODFI. Those obligations exist regardless of what the MCA agreement says.

Second, and more significantly: the incorporation provision binds the merchant to Nacha’s rules in a transaction that the Agreement itself structures to violate those rules. The merchant is told to comply with the rules. The originator collects amounts that the Agreement’s own formula — if applied — would not support. The merchant is bound to the framework. The originator operates outside it. That asymmetry is the document’s most revealing feature.

The Authorization Warranty Failure Under § 2.3.1

Nacha Operating Rule § 2.3.1 requires that a valid authorization “comply with applicable Legal Requirements, be readily identifiable as an authorization, and have clear and readily understandable terms.” An authorization form whose operative amount is “up to” a ceiling “pursuant to” an Agreement that characterizes the initial amount as a “good faith approximation” subject to reconciliation — where no reconciliation has ever been performed across tens of thousands of agreements — does not establish a readily identifiable, clear, and readily understandable authorization for the specific fixed amount being debited.

Nacha’s response stated that the authorization warranty “does not further apply to the nature of the goods or services for which payment is being made.” That is accurate. It is also unresponsive. The question was never about the nature of the goods or services. The question was about the amount — and the amount, under the operative documents, was never a fixed number.

What Claim 2 Did and Did Not Address

Question 5 asked whether Nacha’s risk guidance addresses the specific pattern of identical ACH debits under variable-formula authorizations as a mandatory SAR assessment trigger. Nacha’s response did not address this.

Question 6 asked whether Nacha has a published position on the BSA standard applicable to ODFI origination of fixed-payment entries under variable-formula MCA authorizations. Nacha’s response did not address this.

Both questions asked about the amount — the gap between what the authorization formula produces and what is actually collected. Nacha’s response addressed the nature of the goods or services. These are different questions, and the answer to one is not responsive to the other.

The Compliance Trap This Creates for Every ODFI

The warranty failures documented above are not specific to one bank’s compliance department or one originator’s documentation practices. They are structural — embedded in the intersection of Nacha’s warranty framework and the fixed-payment MCA product. The compliance trap they create is binary, and both states are fatal.

State A — The ODFI did not review the agreement. If an ODFI onboarded a receivables purchase originator without reviewing the operative agreement — the instrument that defines what amounts are due and owing, and that the authorization form itself incorporates by reference with the words “pursuant to” — it violated its § 2.2.3 due diligence obligation before entry one. Every subsequent warranty was made without the foundational review that the Rules required. The ODFI cannot invoke the agreement’s terms to defend transmissions it made without ever reading those terms. In State A, every warranty is made in willful ignorance of facts the Rules required the ODFI to know.

State B — The ODFI reviewed the agreement. If the ODFI read the agreement, the “good faith approximation” language was visible at onboarding. The formula’s structural inoperability was visible at onboarding. The arithmetic producing a criminally usurious effective rate was computable at onboarding — from the numbers on page one, in approximately ninety seconds, using a calculation performed daily in every commercial bank’s lending division. In State B, every warranty is made with actual knowledge of every fact that makes it false.

There is no third state. An ODFI either read the agreement or it did not. Both states produce the same legal conclusion: the § 2.4.1.6 warranty was false on every entry, and the ODFI either knew it was false or deliberately avoided knowing.

Nacha wrote the rules that create this binary. Nacha’s § 2.4.1.6 requires the due and owing warranty. Nacha’s § 2.2.3 requires the pre-origination review that would reveal the warranty’s impossibility. Nacha’s § 2.3.1 requires that the authorization comply with applicable Legal Requirements — which include the usury laws the ninety-second calculation reveals are violated. The rules, applied as written, do not permit a compliant ODFI to originate a single entry for a fixed-payment receivables collection program. Not the second entry. Not the first.

Nacha’s response to this publication did not address the due and owing warranty. It did not address the compliance trap the Rules create. It did not explain how any ODFI — in either state — can make the warranty Nacha’s own rules require. The omission is not incidental. The question has no answer that preserves both the warranty framework and the product it warrants.

Claim 3: Nacha’s Enforcement Role Is “Distinct” from Statutory Authority

This is the most honest paragraph in Nacha’s response. It is also the most significant — because it confirms in Nacha’s own words the central argument of the companion article.

The Gap Between What Nacha’s CEO Said and What Nacha’s Response Says

Ms. Larimer said: “We run the enforcement of the rules.” Nacha’s response says enforcement is “intended to promote Rules compliance.” These are not two descriptions of the same function. Promoting compliance and running enforcement are different institutional commitments with different resource requirements, different procedural frameworks, and different outcomes for the parties affected. A police department that describes itself as “promoting public safety through community education” is describing a fundamentally different operation than one that says it “runs law enforcement.” Nacha’s CEO used the enforcement vocabulary. Nacha’s formal response retreated to the compliance vocabulary. Both cannot accurately describe the same function.

The Federal Incorporation Consequence

The statement that Nacha’s enforcement role “is distinct from the statutory authority exercised by regulators, law enforcement or courts” is accurate as a legal matter. Nacha is not a federal agency. But this statement, standing alone, omits the consequence that makes the distinction significant.

Federal banking examiners assess ODFI compliance against Nacha’s rules. The OCC, the FDIC, the Federal Reserve, and FinCEN have each incorporated Nacha’s framework into their examination standards. When Nacha says its enforcement role is “distinct” from statutory authority, it is describing a gap. And that gap has a specific consequence: the organization whose rules define the federal compliance standard has, by its own admission, an enforcement function that operates below the level of statutory authority. The rules have the force of federal regulation. The enforcement of those rules does not.

This means that any ODFI violation of Nacha’s rules that Nacha’s own enforcement function declines to pursue — or lacks the capacity to pursue — remains a violation of the standard against which federal examiners assess compliance, but without the enforcement mechanism the rules’ federal incorporation would suggest exists. The merchant whose account is debited in violation of Nacha’s rules cannot trigger the enforcement function — that right belongs exclusively to Nacha’s member financial institutions — and the federal examination framework assesses ODFI compliance against rules whose own enforcement authority describes its role as “promoting compliance.”

Nacha’s response confirms that its enforcement authority is categorically distinct from statutory authority, that it cannot compel the outcome of a dispute, and that a merchant subjected to unauthorized ACH collections has no path to the enforcement mechanism that governs the very network those collections traverse.

The Merchant Has No Path — Confirmed

“Nacha does not resolve commercial disputes between parties making and receiving payments.”

This sentence, read alongside the documented eleven-minute complaint response described in the companion article, confirms a closed loop with no exit for the merchant:

The merchant cannot file a complaint with Nacha directly — confirmed by Nacha’s eleven-minute response directing the complainant to the financial institution whose conduct the complaint documented.
The RDFI can file permissively on the merchant’s behalf — but is not required to do so.
If the RDFI files, the ODFI can condition return on originator permission — documented in a specific case in writing.
Nacha does not resolve the resulting dispute — confirmed by Nacha’s response in this publication.
No party with authority to compel a return is required to act on the merchant’s behalf within a timeline that preserves the merchant’s operating capacity.

Nacha’s response confirmed this chain. It did not explain what the merchant is supposed to do instead. That question — the seventh question submitted to Ms. Larimer — was not answered.

What Claim 3 Did and Did Not Address

Question 2 asked whether Nacha’s eleven-minute complaint response is consistent with Ms. Larimer’s characterization of Nacha as the enforcement authority, and what remedy exists for a merchant whose RDFI declines to file on their behalf. Nacha’s response stated that it “does not resolve commercial disputes between parties making and receiving payments.” This partially addresses the question — it confirms there is no remedy within Nacha’s framework — but it does not address the consistency question or the eleven-minute response time.

Question 7 asked whether Nacha is considering structural reform to give merchants direct access to the enforcement framework. Nacha’s response did not address this.

What Fixed Payments Tell the ODFI — and What the Rules Require It to Do

Nacha’s response described its enforcement role as promoting compliance. It did not describe what compliance would actually look like if promoted — because what compliance looks like, applied to fixed-payment MCA, is the termination of the product.

The analytical chain begins with a factual observation any ODFI’s monitoring system can produce. Nacha’s § 2.2.3 requires ODFIs to monitor origination patterns across multiple settlement dates. The BSA/AML monitoring standards incorporated into federal examination guidance require ODFIs to identify transaction patterns inconsistent with the stated business purpose. When an ODFI monitors a receivables purchase program and observes that every collection is identical — to the penny, on every settlement date, across weeks or months — the pattern is inconsistent with the stated purpose. A receivables purchase collects a percentage of actual receivables. Actual receivables fluctuate with business activity. Payments that never vary are not a percentage of anything that varies. They are fixed.

That observation is not the end of the analysis. It is the beginning — because a fixed payment under a variable-formula agreement does not merely suggest that the formula is not being applied. It reclassifies the product.

The entire legal distinction between a receivables purchase and a loan depends on three structural features: variable payments tied to actual receivables, no fixed maturity date, and no absolute right of repayment. Courts have consistently identified these as the hallmarks that distinguish a true receivables purchase from a disguised loan. When the payments are fixed, the first hallmark is absent. When the agreement specifies a purchased amount to be repaid in full, the third hallmark is absent. The product is not a receivables purchase. It is a loan.

That reclassification triggers an independent obligation that exists in the current rules — not a proposed standard, not an aspirational recommendation, but an obligation the ODFI is required to perform right now. Nacha § 2.3.1 requires that an authorization “comply with applicable Legal Requirements.” The BSA/CDD framework requires the ODFI to understand the nature of the customer’s business and assess whether its activities are lawful in the jurisdictions where it operates. Once the payment pattern reveals that the product is a loan, the ODFI has an existing obligation to determine whether it is a lawful loan before continuing to serve as its collection mechanism.

The determination requires approximately ninety seconds. The numbers are on the face of page one of every standard MCA agreement: purchase price paid, purchased amount to be collected, collection amount per period, collection frequency. The XIRR calculation — the same calculation performed daily in every commercial bank’s lending division — produces the effective annualized rate. In cases documented in public filings, these rates have reached into the thousands of percent. In the NYAG Yellowstone enforcement action, the documented rates exceeded 500%. These rates do not approach criminal usury thresholds. They exceed them by multiples.

An ODFI that identifies the product as a loan and computes the rate has reached the end of the analysis: the loan is unlawful. The authorization is invalid under applicable Legal Requirements. The amount cannot be due and owing because the obligation is void. Origination must stop — not because a new rule requires it, but because the existing rules, applied as written, compel that conclusion.

Nacha’s rules already contain every obligation necessary to identify and halt fixed-payment MCA collection through the ACH network. The § 2.2.3 monitoring obligation identifies the fixed-payment pattern. The pattern reclassifies the product as a loan. The reclassification triggers the § 2.3.1 legal requirements assessment and the BSA/CDD obligation to assess legality. The assessment reveals the criminal rate. The rate makes the § 2.4.1.6 warranty impossible. No new rule is required. No regulatory amendment. No legislative action. The rules Nacha wrote — the rules whose enforcement Nacha’s CEO described as her responsibility — produce this conclusion when applied as written. The eleven-minute response to this publication’s complaint was not a failure of rule design. It was a failure of rule application by the organization that describes itself as responsible for both.

Claim 4: The Two-Banking-Day Return Right and the Debit Block Recommendation

This paragraph contains two distinct problems — one of legal accuracy and one of fundamental framing — that together reveal how Nacha’s rules function in practice to protect the extraction mechanism rather than the merchant.

The Legal Accuracy Problem: A Permissive Right Presented as a Merchant Remedy

The two-banking-day return window Nacha described does exist for business accounts — return reason code R29 (Corporate Customer Advises Not Authorized) is available for CCD entries. Nacha’s statement is technically accurate. What makes it misleading is what the statement omits about how that right operates in practice and what other return mechanisms exist that Nacha chose not to mention.

First, the two-banking-day right belongs to the RDFI, not the merchant. The merchant cannot invoke it directly. The merchant must convince their bank to act — within two banking days of settlement — on a debit that may appear routine, that posts alongside dozens of other business transactions, and that the merchant may not recognize as unauthorized until well after the window closes. Two banking days is not a remedy for a merchant subjected to a pattern of fixed extractions engineered to look like normal recurring debits.

Second, the right is permissive, not mandatory. The RDFI may return the entry. It is not required to. There is no obligation within Nacha’s framework that compels the RDFI to act on the merchant’s behalf, regardless of the evidence the merchant presents.

Third, and most significantly, Nacha’s response did not mention the proof-of-authorization mechanism — the return path that actually governs how these disputes play out in practice. Under the Nacha rules, the RDFI can submit a Written Statement of Unauthorized Debit requesting the ODFI to produce proof that the entry was authorized. The ODFI has ten banking days to respond. This is the mechanism the companion article documented — and the documented result was the ODFI responding that it was waiting for “permission to return” from the originator. The entity that collected the money was given veto power over the only realistic return mechanism available.

Nacha described the two-banking-day return right — the shortest window, the least accessible to the merchant, the one most likely to have expired before the merchant even identifies the problem. It did not describe the proof-of-authorization mechanism — the return path with a longer timeline, the one the merchant is more likely to actually use, and the one that the documented evidence shows the ODFI subordinated to originator permission. Whether this was an error or a deliberate choice of emphasis, the effect is the same: Nacha presented the least useful remedy and omitted the more relevant one whose documented outcome confirms the structural argument of the companion article.

The Framing Problem: Putting the Burden on the Merchant for a Trap the Agreement Creates

Nacha’s recommendation that businesses “consider using bank-offered services such as debit blocks and positive pay to help prevent unauthorized payments” transfers the burden of protection to the merchant. In isolation, this is reasonable advice. In context, it is advice to walk into a trap.

The MCA agreement was specifically engineered to make every available merchant protection a contractual default event:

The merchant who instructs their bank to block the debit — the debit block Nacha recommends — has committed a contractual default under the agreement’s terms, typically triggering acceleration of the full purchased amount plus fees and penalties.
The merchant who moves funds to protect cash flow has committed a default.
The merchant whose account has insufficient funds — because the fixed extractions depleted it — has committed a default.
In states that permitted confessions of judgment during the relevant period, a single missed payment could produce a court judgment freezing personal bank accounts without notice or hearing — sometimes within days.

Nacha’s rules were specifically structured to make the MCA agreement’s ACH authorization mechanism effective and irresistible. The ODFI warrants authorization. The RDFI processes the debit. The merchant’s only recourse within the framework — the debit block — triggers the agreement’s default provisions. Every exit is an entrance to something worse.

Nacha recommended a debit block to a merchant whose agreement converted a debit block into a defaulting event. That recommendation, offered without acknowledging the contractual consequence it triggers, is not a remedy. It is evidence that Nacha’s framework does not account for the reality of the transactions it governs.

What Claim 4 Did and Did Not Address

Question 5 asked about the specific ACH origination pattern — fixed identical debits under variable-formula authorizations — and whether Nacha’s risk guidance addresses it as a mandatory SAR assessment trigger. Nacha’s response described the return mechanism instead. These are different topics: one asks what happens after the unauthorized debit posts; the other asks whether the origination pattern should be flagged before it posts.

Question 6 asked about the BSA standard applicable to ODFI origination of this pattern. Nacha’s response did not address BSA obligations at all.

THE SEVEN QUESTIONS: WHAT WAS ASKED, WHAT WAS ANSWERED

The following maps each of the seven questions submitted to CEO Jane Larimer against what Nacha’s response actually addressed. This is not an argument. It is an accounting.

Nacha’s response: Did not address. Nacha stated it “does not have access to information about individual payments.” The question asked about origination patterns, not individual payments.

Question 2 asked whether Nacha’s eleven-minute complaint response — directing the complainant back to the financial institution whose conduct the complaint documented — is consistent with Nacha’s characterization as the enforcement authority for the ACH network, and what remedy exists for a merchant whose RDFI declines to file on their behalf.

Nacha’s response: Partially addressed. Nacha confirmed it “does not resolve commercial disputes between parties making and receiving payments,” which implicitly answers the remedy question (there is none within Nacha’s framework). It did not address the eleven-minute response time or the consistency with Ms. Larimer’s public characterization.

Question 3 asked whether a $26.8 million trade association with 77 employees has the institutional capacity to serve as the enforcement authority for an $86.2 trillion network, and what specific enforcement infrastructure — not rules, not guidance, but staffed enforcement capacity — Nacha maintains to monitor ODFI origination patterns.

Nacha’s response: Did not address.

Question 4 asked whether Nacha believes it has obligations commensurate with federal incorporation of its rules into 31 C.F.R. Part 210 and federal examination guidance, including an obligation to maintain enforcement mechanisms accessible to merchants.

Nacha’s response: Did not address. Federal incorporation was not mentioned.

Question 5 asked whether Nacha’s risk guidance addresses the specific pattern of recurring identical ACH entries under a variable-percentage-of-receivables authorization as a potential SAR assessment trigger, and whether Nacha has taken enforcement action against any ODFI for failing to flag this pattern.

Nacha’s response: Did not address. Nacha described the two-banking-day return mechanism, which is a post-entry remedy, not an origination-pattern monitoring standard.

Nacha’s response: Did not address. The Bank Secrecy Act was not mentioned.

Question 7 asked whether Nacha is considering structural reform to give merchants direct access to the enforcement framework, given that 18,000+ small businesses had no membership, no vote, no complaint access, and no federal statutory protection under EFTA (which excludes business accounts).

Nacha’s response: Did not address. Structural reform was not mentioned. The EFTA exclusion was not mentioned. Merchant access to enforcement was not mentioned.

Summary: Of seven questions, zero received a direct answer. One (Question 2) received a partial, implicit response. Six received no response at all. Four of the seven questions asked about specific facts, mechanisms, or positions that Nacha could have confirmed or denied. Nacha chose to address none of them, instead offering four paragraphs that describe Nacha’s general role, cite a warranty carveout the article did not rely on, confirm an enforcement gap the article identified, and recommend a remedy the MCA agreement converts into a default event.

THE EVIDENCE IN THE PUBLIC RECORD — AND WHAT IT DEMANDS

The analysis above addresses what Nacha said and didn’t say. What follows addresses what the public record now requires of every ODFI in Nacha’s network — and what Nacha, as the organization whose rules define the compliance standard, is obligated to do about it.

What the NYAG Established

On March 5, 2024, the New York Attorney General filed a Verified Petition against the Yellowstone Capital network — the largest state enforcement action against predatory MCA in history, resulting in a $1.065 billion judgment. The petition is 289 pages. It is public. Its findings are supported by sworn testimony, internal communications, and transactional data. Here is what it established, in the respondents’ own words:

The transactions were loans. The petition documented that respondents’ own personnel repeatedly referred to MCAs as “loans” and to themselves as “lenders” — in internal communications, in communications with merchants, and in sworn testimony. Multiple insiders acknowledged that the product was structured to avoid usury classification while functioning as a fixed-payment, short-term, ultra-high-interest loan.

The reconciliation mechanism was a sham. David Glass, a respondent, stated to a funder: “The merchants[’] right to a reconciliation is what makes ou[r] product not a loan. If the merchant’s right to reconciliation is a sham then the product is a loan.” Isaac Stern responded: “The only reasons MCA’s are not a loan is because we purchase a percentage of their sales and every month they have the ability to review if we possibly overcollected that percentage and receive a refund.”

Zero reconciliation refunds across 87,180 agreements. Out of approximately 87,180 MCA agreements entered before January 2020, the Yellowstone network never issued a single refund to a merchant as the result of reconciliation. The contractual right that distinguished these transactions from loans was never exercised — not once, across tens of thousands of agreements.

The Specified Percentages were deliberately inflated to prevent reconciliation. Bart Maczuga, a respondent and CEO of the successor entity, explained: “[E]veryone was making [the Specified Percentage] higher than they should to protect themselves, thus making it a sham to begin with.” Internal communications confirmed that legal departments changed contracts to reflect higher percentages specifically to ensure reconciliation would never produce a refund.

The scale. 115,468 MCA transactions. An estimated $4.5 billion collected from merchants. An estimated $1.38 billion in interest. Effective annual interest rates regularly in the triple digits, reaching as high as 820% — rates that exceed the usury ceiling, civil or criminal, of every U.S. jurisdiction that has one.

Every dollar moved through the ACH network. Every one of those 115,468 transactions was originated by an ODFI that placed its unconditional warranty behind each entry. Every fixed daily or weekly debit was processed through Nacha’s rules. Every collection was made possible by a bank that warranted it was authorized and due.

From Fixed Payments to Criminal Usury — The Analytical Steps

The connection between fixed-payment ACH debits and criminal usury is not an inference. It is a chain of established legal and factual steps, each of which is independently documented.

Step one: fixed payments make the transaction a loan. The only legal distinction between a merchant cash advance and a loan is the variable-payment structure. Courts have held consistently that a genuine purchase of future receivables — where payments fluctuate with actual business revenue, where there is no fixed maturity date, and where the funder bears the risk that the merchant earns nothing — is not a loan and is therefore not subject to usury statutes. Remove the variable feature, and the distinction collapses. When payments are fixed — identical amounts, identical frequency, regardless of actual revenue — the transaction has a fixed repayment obligation and a determinable maturity. That is a loan. The NYAG’s petition documented that the respondents’ own insiders knew this. Glass said it explicitly: if reconciliation is a sham, the product is a loan. Stern said it: the only reason MCAs are not a loan is because “we purchase a percentage of their sales.” When the percentage is never calculated and reconciliation never occurs, the reason MCAs are not loans disappears — by the insiders’ own analysis.

Step two: the interest rates are calculable from the face of the agreements. Once a fixed-payment MCA is classified as a loan, the effective interest rate is arithmetic. The funder advances a known amount. The merchant repays a larger known amount (the purchased amount) in fixed installments over a determinable period. The difference between the advance and the total repayment, annualized over the repayment period, is the effective annual interest rate. The NYAG calculated these rates across the Yellowstone network’s portfolio. They were regularly in the triple digits. They reached as high as 820%.

Step three: those rates constitute usury in virtually every U.S. jurisdiction. This is not a New York-specific conclusion. New York’s criminal usury ceiling is 25% per annum under Penal Law § 190.40. Its civil usury ceiling is 16%. But the rates the NYAG documented — 250%, 400%, 820% — are not borderline cases that turn on which state’s law applies. They exceed the usury ceiling in every state that has one. They exceed the criminal usury threshold in every state that has a criminal usury statute. Even in states with higher ceilings or broader exemptions for commercial transactions, no jurisdiction contemplates — much less permits — annual interest rates of several hundred percent on what are functionally short-term business loans. The choice-of-law question affects which statute applies. It does not affect whether these rates are lawful. They are not — anywhere.

Step four: the ACH pattern is the collection mechanism for that criminal conduct. Every fixed daily or weekly ACH debit in these transactions is a collection event on a criminal-usury-rate loan. The ACH entry is not incidental to the usury. It is the usury’s execution mechanism — the means by which the criminal interest rate is converted from a contractual term into actual money extracted from the merchant’s operating account. The bank that originates that entry is not a bystander. It is the institution whose charter, whose access to the Federal Reserve’s payment system, and whose unconditional warranty make the extraction possible.

This is the chain: fixed payments make it a loan; the rates make it criminal usury; the ACH entry is the collection mechanism; and the ODFI’s warranty is the institutional seal that moves it through the banking system. Each step is documented. Each step is calculable. And after the NYAG’s petition, each step is a matter of public record.

What the BSA Requires — and Why Banks Cannot Look Away

The Bank Secrecy Act, 31 U.S.C. § 5318(g), requires financial institutions to file Suspicious Activity Reports when they “know, suspect, or have reason to suspect” that a transaction involves funds derived from illegal activity. The operative standard is the third prong: “reason to suspect.” This is not a probable cause standard. It is not an actual knowledge standard. It is a standard that asks whether a reasonable compliance officer, given the available information, should have flagged the activity for review.

31 U.S.C. § 5318(h) separately requires every bank to maintain an anti-money laundering program with “internal policies, procedures, and controls” reasonably designed to detect suspicious activity. FinCEN has been explicit: these programs must be risk-based and must account for known typologies. When an enforcement action publicly identifies a transaction pattern as indicative of criminal conduct, that pattern becomes a known typology.

The NYAG established that fixed-payment MCA transactions signal criminal usury. What the NYAG did not do — and what no regulator, no enforcement agency, and no industry body has done — is name the specific ACH origination trigger that would identify this pattern before it causes harm. This article does.

The trigger is identical-amount ACH debits to a business account, same originator, recurring daily or weekly, under an authorization referencing a variable-percentage-of-receivables formula. Whether the threshold is three consecutive entries, five, or seven is a calibration question — not a conceptual one. The pattern is distinctive because there are almost no legitimate business transactions that produce it. Payroll varies with hours worked. Lease payments don’t post daily. Subscription services don’t debit thousands of dollars three times a week. When a business account shows identical high-frequency debits under an authorization whose stated formula requires variable amounts tied to actual revenue, that pattern is categorically inconsistent with the authorization’s own terms. It is visible on the face of any bank statement. It requires no investigation to identify — only arithmetic. Any basic rule-based transaction monitoring system can flag it. The question is not whether banks can detect this pattern. The question is whether, given what is now publicly known about what this pattern represents, they can justify not looking.

These obligations are not separate from the ODFI’s warranty obligations under Nacha’s rules. They are the same obligation, viewed from two regulatory angles. As the due and owing analysis in Claim 2 establishes, the ODFI’s warranty that each entry is due and owing to the originator is itself a representation that the ODFI has performed the diligence necessary to warrant entitlement — which is the substance of what BSA’s KYC and Customer Due Diligence requirements demand. The warranty and the BSA obligation converge at the same point: the ODFI must know enough about its originator to credibly represent that the funds being collected are legitimately owed to that originator. An ODFI that has not performed adequate KYC on an MCA originator cannot satisfy its due and owing warranty, and an ODFI that warrants amounts as due and owing without adequate KYC has made an unconditional representation it did not have the diligence to support.

Before the NYAG’s action, a bank could plausibly argue: “We process millions of ACH transactions. We cannot investigate the business purpose behind every recurring debit. The originator warranted authorization. We relied on Nacha’s rules.” That argument had weight when the bank had no specific reason to suspect the pattern represented criminal conduct.

After the NYAG’s action, that argument fails. The NYAG established — through a concluded investigation, with sworn testimony and transactional data — that fixed-payment MCA debits have been systematically used to collect criminal-usury-rate loans disguised as receivables purchases. That finding is public. It is in the record. It is supported by the respondents’ own admissions.

A bank that originates fixed-payment MCA entries after March 2024 has constructive knowledge that the pattern has been proven to signal criminal lending. The “reason to suspect” standard under § 5318(g) is triggered not by knowledge that this particular originator is engaged in usury, but by knowledge that this pattern has been publicly proven to be associated with criminal conduct. That is the definition of a known typology.

The consequences of failing to act on known typologies are not administrative. Federal prosecutors have brought criminal cases against financial institutions for systematic BSA monitoring failures. TD Bank, Rabobank, and USAA FSB each demonstrate that when the pattern is sustained and the volume is significant, the government treats monitoring failures as criminal matters under 31 U.S.C. § 5322. The predatory MCA origination pattern is more mechanically visible than most SAR triggers. It requires only arithmetic to identify.

“We Are Just Banks Processing Payments” — Why That Defense Does Not Exist

This is where the argument will be made. Every ODFI confronted with the analysis above will reach for the same defense: We are banks. We process payments. We cannot investigate the business purpose behind every ACH entry. We relied on the originator’s representations. We relied on Nacha’s rules. We are intermediaries, not participants.

That defense does not exist under the legal framework that governs these institutions. It must be stated plainly why, because the banks will say it anyway, and it must be clear — to regulators, to examiners, to prosecutors, and to the banks themselves — that the law has already answered this argument and the answer is no.

First: the BSA does not permit willful blindness. The “reason to suspect” standard under § 5318(g) was designed precisely to foreclose the argument that a bank can avoid its obligations by not looking. The statute does not require actual knowledge of criminal activity. It does not require suspicion. It requires “reason to suspect” — and a bank that processes a pattern publicly proven to represent criminal conduct has reason to suspect, whether or not it chose to look. The BSA’s entire architecture is built on the premise that financial institutions are gatekeepers, not passive conduits. A bank that says “we are just processing payments” is describing the one thing the BSA says banks are not permitted to be.

Second: systemic monitoring failures are criminal conduct. This is not a theoretical proposition. It is the holding of multiple federal enforcement actions. TD Bank paid $1.3 billion in penalties and its BSA compliance officer faced personal criminal charges — not because TD Bank knowingly laundered money, but because it failed to maintain transaction monitoring systems adequate to detect suspicious patterns flowing through its accounts. The government’s theory was not that TD Bank participated in crime. It was that TD Bank’s failure to monitor constituted a criminal violation of 31 U.S.C. § 5322. Rabobank pleaded guilty to conspiracy to obstruct an examination of its BSA compliance program and was fined $369 million. USAA FSB was fined $140 million for willful failures in its AML program. In each case, the bank’s defense was some version of “we didn’t know.” In each case, the government’s response was that not knowing — when the institution had the obligation to know and the means to know — was itself the crime.

Third: not knowing is worse than knowing when the institution was obligated to know. A bank that knowingly facilitates criminal activity is a bad actor. A bank that fails to build the systems, hire the staff, and implement the controls necessary to detect criminal activity flowing through its infrastructure is something different — it is an institution that has made a systemic decision not to perform the obligations that justify its charter, its access to the federal payments system, and its ability to make unconditional warranties on behalf of its origination clients. The knowing participant chose to break the law. The systemically negligent institution chose not to build the infrastructure necessary to follow it. Federal prosecutors have treated the latter as equal to or worse than the former, because systemic failures affect every transaction the institution processes, not just the ones involving bad actors. When a bank’s monitoring systems are inadequate, every criminal dollar that flows through the institution flows through undetected — not because the bank decided to let that particular dollar through, but because the bank decided not to build the system that would catch it.

Fourth: the ODFI is not an intermediary. It is a warrantor. This is the point that collapses the “just processing” defense entirely. An intermediary passes through a transaction without making representations about it. The ODFI does not pass through ACH entries. It warrants them. Under § 2.4.1.6, the ODFI warrants — unconditionally, on every entry, to every institution in the chain — that the amount is due and owing from the receiver to the originator. That warranty is not the act of an intermediary. It is the act of a principal. The moment the ODFI makes that warranty, it has assumed responsibility for the legitimacy of the entry. A party that makes unconditional representations about a transaction to other regulated institutions that rely on those representations cannot simultaneously claim to be “just processing payments.” You are either warranting or you are not. If you are warranting, you have accepted the obligation to know what you are warranting. If you have not performed the diligence necessary to know, you have made a representation you cannot support — and every institution that relied on your warranty was misled.

Fifth: “we relied on Nacha’s rules” is an admission, not a defense. The bank that says it relied on Nacha’s rules is saying that it relied on a framework that — as this article has documented — does not require the ODFI to flag the fixed-payment MCA pattern, does not require originator screening against concluded enforcement actions, and does not identify the most mechanically obvious predatory origination typology in the ACH network as a mandatory review trigger. Reliance on a framework that does not require adequate monitoring is not a defense to a charge that monitoring was inadequate. It is an explanation of why monitoring was inadequate. And the explanation — “we followed a framework that didn’t require us to look” — is precisely the systemic failure that federal prosecutors have treated as criminal conduct. The BSA does not say “monitor suspicious activity unless Nacha’s rules don’t require it.” It says monitor suspicious activity. The obligation is statutory. It does not yield to a trade association’s silence.

Sixth: “we didn’t intend to break the law” is not a defense when the law does not require intent — and even where it does, willful blindness satisfies it. The banks will say: even if we made mistakes, we did not act with criminal intent. This argument fails at two independent levels, and both must be stated clearly because the banks will assert this defense as though it were self-evident.

At the first level, the BSA does not require criminal intent. The willful failure standard under 31 U.S.C. § 5322 requires only that the institution acted willfully in failing to maintain adequate anti-money laundering controls or to file required SARs. Courts have consistently interpreted “willfully” in the BSA context to mean voluntary and intentional — not that the institution intended to facilitate crime, but that it intentionally chose not to build the systems, perform the monitoring, or file the reports the statute requires. An ODFI that made a deliberate institutional decision not to flag the fixed-payment MCA pattern — or that never built the monitoring capability to detect it — acted willfully in the only sense the statute requires. The absence of criminal intent to facilitate usury is irrelevant to the question of whether the bank willfully failed to monitor for it.

At the second level, for any statute that does require knowledge — including the mail and wire fraud predicates that underlie federal racketeering claims — willful blindness is legally equivalent to actual knowledge. The Supreme Court established this in Global-Tech Appliances, Inc. v. SEB S.A. (2011): a defendant who (1) subjectively believes there is a high probability that a fact is true, and (2) takes deliberate actions to avoid confirming that fact, is treated as having knowledge of that fact. The State A/State B compliance trap documented earlier in this article maps directly onto that standard. In State A, the ODFI deliberately avoided reviewing the agreement — the very document that would have revealed the warranty’s impossibility. In State B, the ODFI reviewed the agreement and had actual knowledge. There is no state in which the ODFI lacked both knowledge and the deliberate avoidance of knowledge. The compliance trap is not merely a Nacha rules problem. It is a willful blindness framework that satisfies the knowledge element of any federal statute that requires it.

The distinction between “we made mistakes” and “we chose not to look” is the distinction the law cares about. And the fixed-payment MCA pattern — visible on the face of any bank statement, computable in ninety seconds, and now documented as criminal conduct in a public enforcement record — is not the kind of thing an institution fails to see by accident. It is the kind of thing an institution fails to see because it has decided, at an institutional level, that seeing it would be inconvenient.

The final retreat will be: we were not willfully blind — we were merely negligent. We did not choose not to look. We looked, and we did a bad job. This argument does not help the bank that makes it. It destroys the bank that makes it. Under the BSA, the crime is not facilitating usury. The crime is failing to maintain adequate systems to detect suspicious activity. 31 U.S.C. § 5322 criminalizes willful failure to comply with the monitoring, reporting, and program-maintenance obligations of § 5318. A bank that says “our monitoring systems were inadequate” is not offering a defense to that charge. It is entering a confession. The BSA does not ask why your systems failed. It asks whether you maintained systems adequate to detect what you were obligated to detect. “We did a bad job” means the systems were inadequate. That is the violation — not a defense to it.

And the “bad job” characterization does not survive contact with the pattern itself. This is not a sophisticated fraud requiring forensic accounting to uncover. It is identical dollar amounts, same originator, same frequency, posting to a business account, day after day, or week after week, under an authorization whose stated formula requires variable amounts. Every ODFI in the country has transaction monitoring systems. Every one of those systems can be configured to flag identical recurring debits from a single originator. If the system was not configured to flag this pattern, that is not a bad job. That is a design choice — a decision about what the system would and would not look for.

And after March 2024, when a concluded state enforcement action established that this specific pattern represents criminal usury across 115,468 transactions, an ODFI that still has not configured its monitoring to flag it has not done a bad job. It has made a choice not to know what a public enforcement record has made knowable. That is not negligence. That is the definition of willful blindness — the deliberate decision not to confirm what you have every reason to believe is true.

The “just processing payments” defense is the argument of an institution that has not read the statute it is subject to, has not studied the enforcement actions brought against institutions that made the same argument, and has not reckoned with the fact that it is not processing payments — it is warranting them. Every ODFI that continues to originate fixed-payment MCA entries without adequate diligence is not an innocent intermediary caught in someone else’s scheme. It is a regulated institution that has made a choice — the choice not to build the systems, perform the diligence, or ask the questions that its statutory obligations and its own unconditional warranties require. That choice has a name under the BSA. It is called willful failure to maintain an adequate anti-money laundering program. And the penalties for it are not administrative. They are criminal.

The Question Nobody Has Asked Publicly: Did the Banks Run the Names?

The NYAG’s Verified Petition is a 289-page public filing. It names specific entities — Yellowstone Capital, Delta Bridge Funding, and their various subsidiaries and successors. It names specific principals — by full legal name, with aliases. It documents specific successor operations that continued operating after earlier enforcement actions. All of this information has been in the public record since March 5, 2024.

115,468 transactions over roughly a decade, flowing through multiple entity names and multiple origination relationships. Across that volume and that many entities, the ODFI population is not one or two banks. It is a significant cross-section of the ACH origination infrastructure — potentially dozens of ODFIs whose originator portfolios included the entities the NYAG identified as participants in a criminal usury scheme.

The BSA question that follows is elementary: after the petition was filed, did those ODFIs run the named entities and principals against their originator and Third-Party Sender client lists? Did they check whether Yellowstone, Delta Bridge, or any of the named individuals or successor entities were among their active origination clients? A “reason to suspect” analysis under § 5318(g) does not require banks to conduct original investigations. But it does require them to act on publicly available information identifying specific entities engaged in criminal activity through the very payment channel the bank is originating. A name-screening check against a public enforcement filing is the minimum threshold of BSA diligence. It is a database query.

And the question that follows from that one is whether Nacha — the organization whose rules define the ODFI compliance standard, the organization that describes its enforcement role as “promoting Rules compliance” — issued any guidance requiring its member ODFIs to screen their originator portfolios against the names in a concluded state enforcement action documenting criminal conduct through the ACH network it governs. If Nacha did not, that is not merely a gap in guidance. It is an institutional decision not to act on public evidence of criminal activity flowing through its own network — evidence that named specific entities, specific individuals, and specific successor operations, all of which could have been identified in any ODFI’s originator database with a straightforward compliance query.

What This Means for Nacha

Nacha’s rules define the compliance standard against which federal examiners assess ODFI behavior. Nacha’s enforcement function — by its own description — promotes compliance. Nacha’s risk guidance addresses ODFI monitoring obligations. This is Nacha’s framework. These are Nacha’s members. The fixed-payment MCA pattern flows through Nacha’s network under Nacha’s rules.

If Nacha’s risk guidance does not identify the fixed-payment MCA pattern as a mandatory review trigger — despite a concluded state enforcement action establishing that the pattern represents criminal usury across 115,468 transactions — then Nacha’s guidance has a gap. And that gap has consequences: it means the compliance standard against which federal examiners assess ODFI behavior does not flag one of the most obvious predatory origination patterns in the ACH network, even after a public enforcement action made its criminal character a matter of record.

Nacha’s response to the seven questions submitted for this article stated that its enforcement role “is intended to promote Rules compliance.” The evidence now in the public record makes clear what compliance requires. The NYAG established that fixed-payment MCA collections signal criminal usury. This article has identified the specific ACH origination pattern — identical recurring debits under a variable-formula authorization — that marks those collections on the face of any bank’s transaction records. Every ODFI in Nacha’s network that originates entries fitting this pattern has a BSA obligation to flag them for review. Nacha, as the organization whose rules define the ODFI’s compliance standard, has an obligation to say so — and to adopt the trigger, or propose a better one.

The offer to Nacha is the same as it was in the companion article: identify a specific factual error in any published claim, and this publication will issue a correction, attribute it to Nacha, and publish Nacha’s explanation in full. The seven questions remain open. The evidence in the public record is not going away. And the BSA obligations that evidence triggers do not wait for Nacha’s guidance to catch up.

The Structural Dependency Nacha’s Response Cannot Address

The compliance trap documented above — State A or State B, no third option — has an industry-level corollary that transforms this analysis from a case-specific observation into a structural one.

If an ODFI that executes its compliance obligations cannot originate a single ACH entry for a fixed-payment MCA operator collecting under a variable-formula authorization, then a fixed-payment MCA industry operating through the ACH network at scale can only exist if ODFIs systemically fail to execute those obligations. The industry does not merely benefit from ODFI non-compliance. It requires it. ODFI compliance and fixed-payment MCA collection are mutually exclusive — not as a policy preference, but as a logical and arithmetic necessity that follows from the rules Nacha wrote.

The New York Attorney General’s Yellowstone enforcement action — which named the operator whose successor entity is the originator in the underlying litigation — documented approximately 18,000 small businesses subjected to this extraction model. The enforcement action produced a consent order. The operator reconstituted under a new name within months. The ACH extraction mechanism resumed. The ODFIs continued originating entries. The warranties continued being transmitted. Nothing in the enforcement architecture changed, because the enforcement architecture — Nacha’s self-governance model — was not designed to change it.

Every ACH entry in a fixed-payment MCA program generates a per-entry fee paid to Nacha. Nacha’s own operating rules state that per-entry fees are collected to fund, among other purposes, “the net costs of the rules enforcement process.” The entries that generate those fees could not have been originated if the rules those fees fund were actually enforced. The revenue and the compliance obligation are in structural conflict — and the revenue is winning.

This is the structural dependency that Nacha’s response cannot address — not because Nacha’s communications department chose not to, but because no answer exists that preserves both propositions simultaneously. Nacha cannot assert that its rules are adequate to govern the ACH network and simultaneously explain why a product that violates those rules on every entry has operated at scale for years under Nacha’s self-described governance. The rules work. They are not applied. The organization responsible for their application described its enforcement role, in writing, to this publication, as “distinct from statutory authority” and “intended to promote compliance.” The product that survives that promotion is the proof that promotion is not enforcement.

I said at the beginning of this analysis that I am likely not 100% correct in everything that follows — and after all these pages, I’m sure that’s true. This analysis is not about finding fault. Institutions make mistakes. People make mistakes. I have made many throughout my life and career — to be fair, we all do. But the question I posed at the outset has not changed: can our regulated financial institutions, and Nacha, avoid asking the far easier questions in the normal conduct of their business? After everything above, I believe the answer is no — they cannot avoid them, and they should not try.

The pattern is visible. The evidence is public. The obligations are clear. And the fix is not that hard. A trigger standard. A screening requirement. A guidance document that says what everyone in the industry already knows: fixed-payment ACH debits under variable-formula authorizations are a red flag, and after Yellowstone, they are a red flag backed by a public record of criminal conduct. This is fixable. It is fixable quickly. It is fixable without new legislation, without new agencies, and without dismantling anything that works. It requires only the willingness to look at what is already visible and act on what the law already requires. We do not get better as a society by throwing stones, we get better by solving problems, and this problem is not that hard to solve. Uncomfortable? Maybe. Hard? Not even close.

Let no one doubt, though, that inaction has human consequences — consequences that approach life and death. The NYAG’s petition does not document abstract financial losses. It documents what happened to people. A beloved New York City bakery that employed 30 to 50 workers and had operated for nearly three decades was pushed into a spiral of debt by fixed daily collections that had no connection to the Specified Percentages in the agreements, forced to take out new MCAs just to pay existing ones, and closed its doors after its final round of MCAs purported to claim three-quarters of its daily revenue. A plumber in Virginia laid off his employees and shut down the family business his father had built — and after a representative told him the only escape from his ballooning debts was winning the lottery or death, he walked into the woods, recorded a suicide message, and attempted to take his own life. He survived. The representative who told him death was the only way out later testified: “I made a lot of money on the guy.”

These are not edge cases. They are documented outcomes across more than 18,000 identified victims — families, employees, communities — whose businesses were destroyed by a collection mechanism that ran through the ACH network, under Nacha’s rules, with an ODFI’s unconditional warranty behind every extraction. Every day this pattern continues without review, the list grows. The victims of these past crimes, and the victims that will surely follow from today’s and tomorrow’s inaction, have real names, real families, and real wounds.

It is with these souls in mind that two questions remain, each addressed to a different audience. These questions do not have complicated answers. But the people with the real wounds — they deserve answers.

To Nacha: Your CEO described Nacha as the governor of the ACH network, responsible for risk management and rules enforcement. Your formal response to this publication described a rule-writing and education function that promotes compliance and does not resolve disputes. Both statements are on the record. One of them must be true. If Nacha is the governor and enforcement authority Ms. Larimer described publicly, then it has the authority and the obligation to act on the evidence now in the public record — to issue guidance identifying the fixed-payment MCA pattern as a mandatory review trigger, to require ODFIs to screen their originator portfolios against concluded enforcement actions, and to enforce its own rules against the origination of entries that fail the due and owing warranty on their face. If Nacha cannot do these things — if its institutional capacity, its governance structure, or its funding model prevent it from manning the post its CEO claimed — then Nacha has an obligation to say so, publicly and clearly, so that the federal agencies that incorporated Nacha’s rules into their examination standards can determine whether further regulation is required to fill the gap Nacha’s own response has now confirmed exists.

To every ODFI operating within the Nacha framework: The pattern is clear. Identical ACH debits, same amount, same originator, recurring daily or weekly, to a business account, under an authorization whose stated formula requires variable amounts tied to actual revenue. You can see it on any bank statement. The NYAG established — across 115,468 transactions, with insider testimony and $4.5 billion in documented collections — that transactions fitting this pattern often signal criminal usury. That finding is public. It is in the record. It names specific entities and specific principals. You are on notice. How can you originate one more ACH entry fitting this pattern without first doing the work to verify that the amount is actually due, that the obligation is legally enforceable, and that the payee is legally entitled to receive payment? Because the due and owing warranty you place behind every entry you originate does not say “to the best of your knowledge.” It does not say “based on the originator’s representations.” It is unconditional. And the evidence establishing what this pattern represents is no longer a matter of investigative speculation. It is a matter of public record, supported by the admissions of the people who built the scheme. The question is not whether you knew. The question is whether you can credibly claim you had no reason to suspect. After March 5, 2024, the answer is no.

To see my other work, visit Extracted. An excerpt from “The Perfect Lap” captures the heart of what My Desert, my recently completed book, explores: the journey from striving to alignment, from performing to being present. The full book traces forty years of wandering through what I call the spiritual desert—learning to distinguish between the God we construct and the God who actually shows up. My Desert will be available this summer.

Thanks for reading Extracted! Subscribe for free to receive new posts and support my work.

Extracted

Discussion about this post

Ready for more?