Skip to content

ACH Risk Matrix for Research Relay LLC

Risk Assessment by Provider

Provider Risk Matrix

Provider Research Chemicals Peptides (RUO) Explicit Ban? Account Stability Approval Odds
Stripe Prohibited Prohibited Yes -- named explicitly Very Low < 5%
Square Prohibited Prohibited Yes (via card network rules) Very Low < 5%
PayPal Prohibited Prohibited Yes Very Low < 5%
Helcim Likely Restricted Likely Restricted Not explicitly named Low-Medium ~20%
Authorize.net Prohibited Prohibited Yes ("drug paraphernalia") Very Low < 5%
Dwolla Unclear Unclear Broad prohibition language Low ~15%
Paycron Supported Supported (eCheck only) No -- serves this vertical High ~99% (claimed)
Easy Pay Direct Supported Supported (w/ LegitScript) No -- serves this vertical High ~80%
AllayPay Supported Supported No -- serves this vertical High ~75%
PayBlox Supported (broker) Supported (broker) No -- brokers to compatible banks High ~70%

Risk Categories Explained

Prohibited: Provider explicitly bans research chemicals or the category falls under a named prohibition. Accounts will be terminated if the product category is detected.

Likely Restricted: Provider does not name research chemicals explicitly but has broad language covering adjacent categories (drug paraphernalia, controlled substances, unapproved pharmaceuticals). Approval is possible but account may be frozen at any time.

Supported: Provider specifically serves the peptide/research chemical vertical and has banking relationships that accept this merchant category.

What Triggers Account Reviews

Mainstream Processors (Stripe, Square, PayPal)

These triggers apply even if you somehow get approved initially:

  1. Product keywords in descriptions -- "peptide," "BPC-157," "TB-500," "research chemical," "SARM" in product names, descriptions, or transaction metadata
  2. MCC code mismatch -- If your Merchant Category Code doesn't match what you actually sell
  3. Website review -- Processors periodically crawl merchant websites. RUO product listings will be flagged
  4. Chargeback rate increase -- Any spike in disputes triggers manual review
  5. Volume spike -- Sudden increase in transaction volume
  6. Customer complaints -- Even a single complaint to the processor about product type
  7. Mastercard BRAM program -- Mastercard's Brand Risk Assurance and Merchant monitoring program (GLB 11691.1, updated 2025) specifically targets unapproved peptides and "research only" products
  8. Regulatory action -- Any FDA enforcement action in the broader peptide space can trigger portfolio-wide reviews

High-Risk Processors

These processors expect research chemical sales, so triggers are different:

  1. Chargeback rate exceeding threshold -- Typically > 1% of transactions
  2. Unauthorized ACH return rate -- R10/R29 returns above 0.5% of volume
  3. Overall ACH return rate -- Exceeding 15% total returns
  4. Regulatory changes -- New FDA or state-level restrictions on specific compounds
  5. Marketing compliance violations -- Human-use language, therapeutic claims
  6. Website changes -- Adding non-compliant content after approval

NACHA Authorization Requirements

Overview

ACH transactions are governed by NACHA (National Automated Clearing House Association) Operating Rules. For e-commerce, the WEB (Internet-Initiated/Mobile Entry) SEC code applies.

Required Authorization Elements

Every ACH debit from a consumer bank account requires written (or digitally authenticated) authorization containing:

  1. Clear identification of the merchant (Research Relay LLC)
  2. Transaction amount (specific dollar amount)
  3. Frequency -- whether single, recurring, or standing authorization
  4. Debit date -- when the customer's account will be debited
  5. Revocation language -- how to cancel the authorization
  6. Customer agreement -- explicit consent to debit the named account

Sample Authorization Language

ACH DEBIT AUTHORIZATION

I, [Customer Name], authorize Research Relay LLC ("Company") to initiate
a single Automated Clearing House (ACH) debit entry to my bank account
indicated below in the amount of $[AMOUNT].

Bank Name: [Bank Name]
Account Type: [Checking/Savings]
Routing Number: [ending in XXXX]
Account Number: [ending in XXXX]

I understand that this authorization is for a one-time payment only.
This payment will be processed within 1-2 business days of authorization.

I understand that I have the right to revoke this authorization by
contacting Research Relay LLC at support@research-relay.com or by calling
[phone number] at least 3 business days prior to the scheduled debit date.

I understand that if the debit is returned for insufficient funds, I may
be charged a return fee.

By clicking "Authorize Payment," I agree to the terms above and authorize
the debit to my bank account.

Date: [Auto-populated]
IP Address: [Auto-captured]

2026 NACHA Rule Changes (Effective March 20, 2026)

New "PURCHASE" Entry Description: For e-commerce ACH transactions, the Company Entry Description field must contain the description "PURCHASE." This applies to consumer debit entries authorized online using the WEB SEC code for purchasing goods.

Fraud Monitoring Requirements: - Phase 1 (March 20, 2026): Applies to originators with > 6 million ACH entries - Phase 2 (June 19, 2026): Applies to all non-consumer ACH originators

These rules require risk-based monitoring and enhanced controls around authorizations and payment instruction changes.

Annual WEB Certification

Merchants using the WEB SEC code for online ACH transactions must complete an annual WEB Certification confirming that appropriate online security protocols are in place to protect customer data. Your ACH processor typically handles this, but you must certify compliance.

Data Security

All ACH-related data (account numbers, routing numbers) stored electronically must be encrypted or rendered unreadable per NACHA's Supplementing Data Security Rule. When using Stripe or a processor with tokenization, this is handled automatically. If building a custom integration, ensure PCI-equivalent security for bank account data.

ACH Return Code Handling

Overview

Unlike card payments that are approved or declined instantly, ACH payments can be returned days or even weeks after the initial transaction. Returns are identified by standardized codes.

Critical Return Codes

Code Name Meaning Timing Action
R01 Insufficient Funds Customer's account lacks funds 2-3 days Retry once after 3-5 days. Notify customer.
R02 Account Closed Bank account has been closed 2-3 days Contact customer for new bank details. Do not retry.
R03 No Account / Unable to Locate Account number invalid or not found 2-3 days Contact customer to verify account details.
R04 Invalid Account Number Account number structure is invalid 2-3 days Contact customer to re-enter account info.
R05 Unauthorized Debit (Consumer) Consumer states entry not authorized Up to 60 days Stop all debits. Investigate. Review authorization records.
R07 Authorization Revoked Customer revoked standing authorization 2-3 days Stop debits. Contact customer.
R08 Payment Stopped Customer placed stop payment 2-3 days Contact customer. Do not retry.
R09 Uncollected Funds Sufficient balance but funds not yet collected 2-3 days Retry once. Similar to R01.
R10 Customer Advises Not Authorized Customer denies authorizing the transaction Up to 60 days High risk. Stop debits immediately. Review authorization proof.
R11 Check Truncation Entry Return Bank error 2-3 days Contact bank for resolution.
R16 Account Frozen Regulatory or legal freeze 2-3 days Contact customer. Do not retry.
R20 Non-Transaction Account Account type doesn't support debits (e.g., CD) 2-3 days Contact customer for different account.
R29 Corporate Customer Not Authorized Business account holder denies authorization Up to 60 days Stop debits. Verify authorization with business.

Return Code Categories

Administrative (R02, R03, R04): Wrong account info. Fixable by getting correct details from customer. Monitor for 3% threshold.

Insufficient Funds (R01, R09): Customer doesn't have money. Can retry once per NACHA rules. Monitor for overall volume.

Unauthorized (R05, R07, R10, R29): Customer denies authorization. Most dangerous. Must have proof of authorization. Monitor for 0.5% threshold.

NACHA Return Rate Thresholds

Threshold Rate Consequence
Overall Return Rate 15% Monitoring, potential penalties
Administrative Returns 3% Enhanced monitoring
Unauthorized Returns 0.5% Fines, increased monitoring, potential ACH network removal

The 0.5% unauthorized return threshold is the most critical. Exceeding this can result in fines and ultimately loss of ACH processing privileges. This is why proper authorization language and record-keeping are essential.

Retry Rules

Per NACHA Operating Rules:

  • Entries returned as R01 (Insufficient Funds) or R09 (Uncollected Funds) may be retried up to 2 times
  • Retries must use the Company Entry Description "RETRY PYMT"
  • Retry must occur within 180 days of the original transaction
  • Company name, ID, and amount must match the original
  • Retries must be sent in a separate batch
  • All other return codes should NOT be retried

ACH Dispute Process

How ACH Disputes Differ from Card Chargebacks

Aspect Card Chargeback ACH Dispute
Dispute Window 120 days (Visa/MC) 60 days (consumer)
Reversal Mechanism Card network mediation Bank-initiated ACH return
Merchant Liability Chargeback fee + amount Return fee + amount
Evidence Process Formal representment Authorization proof submission
Cost to Merchant $15-100 per chargeback $4-15 per return
Win Rate ~30-40% for merchants Higher with proper authorization

ACH Dispute Timeline

Day 0:   Customer contacts their bank about unauthorized/incorrect ACH debit
Day 1-3: Bank reviews claim, may issue provisional credit to customer
Day 1-5: Bank initiates ACH return (R10 or R29)
Day 2-7: Merchant's processor receives return notification
Day 7-14: Merchant reviews return, provides authorization proof if available
Day 14-60: If merchant has valid authorization, can dispute the return
           through their processor/ODFI
Day 60:   Consumer dispute window closes

Protecting Against ACH Disputes

  1. Capture comprehensive authorization records:
  2. Timestamp of authorization
  3. Customer IP address
  4. Device fingerprint
  5. Full authorization text shown to customer
  6. Customer's explicit consent (click, checkbox, or signature)

  7. Account details (masked)

  8. Send confirmation emails immediately after authorization with:

  9. Transaction amount
  10. Expected debit date
  11. Merchant name as it will appear on bank statement

  12. Cancellation instructions

  13. Use clear merchant descriptor -- "RESEARCH RELAY" should appear on the customer's bank statement, not a confusing abbreviation

  14. Maintain authorization records for at least 2 years (NACHA requires retention for the period specified in the Operating Rules, typically 6 years for audit trail)

Fraud Prevention Measures

Pre-Transaction Verification

  1. Instant Bank Verification (Preferred)
  2. Use Financial Connections (Stripe) or Plaid to verify account ownership
  3. Confirms account exists, is open, and belongs to the customer
  4. Eliminates R02, R03, R04 returns almost entirely

  5. Cost: $1.50 per verification (Stripe Financial Connections)

  6. Balance Check (If Available)

  7. Some verification services offer real-time balance checks
  8. Reduces R01 (Insufficient Funds) returns

  9. Must have customer permission to access balance data

  10. Micro-Deposit Verification (Fallback)

  11. Two small deposits (e.g., $0.12 and $0.34) sent to customer's account
  12. Customer confirms amounts to verify ownership
  13. Takes 2-3 business days
  14. Free but slower and lower conversion rate

Fraud Signals to Monitor

Signal Risk Level Action
First-time customer, large order Medium Manual review before processing
Shipping address doesn't match billing Medium Request verification
Multiple failed bank verifications High Block transaction
Customer email from disposable domain Medium Additional verification
Order from known fraud geography High Manual review or block
Rapid successive orders High Rate limit + manual review
Mismatched name on bank account vs order High Contact customer

Velocity Controls

Implement these limits to prevent ACH fraud:

  • Per-customer daily limit: $500 (adjust based on AOV)
  • Per-customer monthly limit: $2,000
  • New customer first-order limit: $200 (increase after first successful payment)
  • Maximum single transaction: $2,000 (adjust based on product pricing)
  • Failed verification cooldown: 24 hours after 3 failed attempts

Application & Underwriting Preparation

What to Prepare Before Applying

Regardless of which processor you apply with, have these ready:

Business Documentation

  • California LLC formation documents (Articles of Organization)
  • EIN confirmation letter from IRS
  • Operating Agreement
  • Business bank account statements (3-6 months from Mercury)
  • Business license (if applicable in your city/county)

Website Compliance

  • RUO disclaimers on every product page: "This product is intended for research use only (RUO). Not for human consumption, therapeutic use, or diagnostic purposes."
  • Terms of Service including:
  • Clear statement that products are for research use only
  • Age verification requirement (18+ or 21+)
  • Buyer attestation that products will be used for legitimate research
  • Refund/return policy
  • Shipping policy
  • Privacy Policy (CCPA-compliant for California)
  • Shipping Policy with estimated delivery times
  • Refund/Return Policy with clear conditions
  • Contact information prominently displayed (email, phone, physical address)

Product Compliance

  • Certificates of Analysis (COAs) for all products
  • No human-use language anywhere on the site
  • No dosing instructions for humans
  • No wellness, performance, or therapeutic claims
  • No customer testimonials implying personal use
  • No before/after photos
  • Professional, scientific product descriptions
  • Proper chemical nomenclature and CAS numbers where applicable

Underwriting Questions to Expect

High-risk processors will ask detailed questions. Be prepared for:

  1. "What exactly do you sell?"

  2. Answer: Research-use-only peptides and research chemicals for laboratory and academic research applications.

  3. "Who are your customers?"

  4. Answer: Independent researchers, academic institutions, and research laboratories conducting in-vitro and preclinical studies.

  5. "Do any of your products require a prescription or DEA license?"

  6. Answer: No. All products are unscheduled research chemicals sold for research use only. No products are controlled substances or require special licensing to purchase.

  7. "How do you verify customers are legitimate researchers?"

  8. Answer: Customers must attest to research-only use during checkout. We include RUO disclaimers on all products and require agreement to our Terms of Service.

  9. "What is your expected monthly volume?"

  10. Provide realistic projections based on business plan.

  11. "What is your average order value?"

  12. Provide actual or projected AOV.

  13. "What is your expected chargeback/return rate?"

  14. ACH returns for properly run RUO businesses are typically < 1%.

  15. "Do you have any previous processing history?"

  16. If using BTCPay Server, mention that as existing payment infrastructure.

  17. "Have you been terminated by any other processor?"

  18. Be truthful. If you've never had a payment processor account terminated, say so. If you have, disclose it -- they will find out through the MATCH list.

How to Present the Business

Do: - Be completely transparent about product types - Emphasize the legal, legitimate nature of RUO research chemicals - Highlight compliance measures (disclaimers, ToS, COAs) - Show professional website presentation - Provide business history and banking relationship (Mercury) - Frame the business in scientific/research terms

Don't: - Minimize or obscure what you sell - Use euphemisms that make it sound like you're hiding something - Promise unrealistically low chargeback/return rates - Apply to multiple processors simultaneously (they share data via MATCH/TMF lists) - Start processing before full approval

The MATCH/TMF List

The Member Alert to Control High-Risk Merchants (MATCH) list, formerly known as the Terminated Merchant File (TMF), is maintained by Mastercard. If a merchant is terminated by any processor for certain reasons, they are added to MATCH for 5 years.

Relevance: If Stripe or another mainstream processor terminates your account for selling research chemicals, you may be added to MATCH, making it significantly harder to get approved by any processor -- including high-risk specialists.

This is why you should NOT sign up for Stripe and hope they don't notice. If they terminate you, the MATCH listing will follow you for 5 years.

Mercury Banking Considerations

Research Relay uses Mercury for business banking. Key ACH considerations:

  • ACH deposits: Funds from ACH processor will deposit into Mercury account
  • Mercury ACH support: Mercury supports incoming ACH transfers from payment processors
  • Reconciliation: Set up automatic reconciliation between processor and Mercury
  • Reserves: If processor requires rolling reserve, those funds are held by the processor (not Mercury) -- ensure cash flow planning accounts for this

Risk Mitigation Strategy

Dual Payment Rail Approach

Customer Payment Options:
├── BTC/Lightning (BTCPay Server)
│   ├── Zero processing fees (self-hosted)
│   ├── Instant settlement
│   ├── No chargeback risk
│   ├── No merchant categorization issues
│   └── ~10-15% of customers (crypto-native)
└── ACH Bank Transfer (High-Risk Processor)
    ├── Low processing fees (1-3%)
    ├── 3-5 day settlement
    ├── Lower dispute risk than cards
    ├── Requires specialized processor
    └── ~85-90% of customers (USD payments)

Why NOT Credit Cards

For a research chemical business, avoiding credit card processing entirely (at least initially) is a defensible strategy:

  1. Card network risk: Visa and Mastercard actively monitor and restrict research chemical merchants through programs like BRAM
  2. Chargeback liability: Card chargebacks are easier for customers to initiate and harder for merchants to win
  3. Higher fees: High-risk card processing runs 4-8% plus rolling reserves
  4. ACH disputes are less common: Bank customers dispute ACH debits less frequently than card charges
  5. ACH dispute window is shorter: 60 days vs 120 days for cards

Monitoring and Alerting

Set up monitoring for:

  • ACH return rate (alert at 10%, action at 12%, critical at 14%)
  • Unauthorized return rate (alert at 0.3%, action at 0.4%, critical at 0.45%)
  • Average days to settlement (track for anomalies)
  • Failed verification rate (track bank verification success/failure)
  • Customer dispute contacts (track before they become formal returns)

  1. Do NOT use Stripe, Square, PayPal, or other mainstream processors. They will terminate the account, and a MATCH listing will make future processing harder.

  2. Apply with Paycron as the primary ACH/eCheck processor. They have the highest approval rate for the peptide vertical and understand the regulatory landscape.

  3. Evaluate LegitScript certification if Paycron requires it or if Easy Pay Direct offers better terms.

  4. Build a custom MedusaJS payment provider for the chosen high-risk processor's API.

  5. Maintain BTC/Lightning as the primary payment rail -- zero fees, instant settlement, no merchant categorization risk.

  6. Ensure full website compliance before applying: RUO disclaimers, ToS, COAs, professional presentation, no human-use language.

  7. Monitor ACH return rates religiously -- the 0.5% unauthorized threshold is the line between keeping and losing ACH processing.

Sources