How to Handle Failed ACH Payments Without Violating CFPB’s Two-Strike Rule
Bob Schulte
Jan 11, 2026
6 mins read
The CFPB’s Two-Strike Rule is simple: after two consecutive failed ACH attempts, lenders must stop all further debits until they obtain new, explicit authorization from the borrower. No exceptions.
This rule matters because most servicing systems weren’t built to enforce it. A lender may think only two attempts occurred, but the payment processor, an automated rule, or a collector’s manual retry can push it to a third attempt without anyone noticing. That’s the violation examiner’s flag, not the missed payment itself, but the system failure that allowed an unauthorized third attempt.
For senior leaders, the risk is structural, not operational. If the workflow can’t prevent a third attempt, interpret return codes accurately, or produce a clean audit trail, the organization is exposed. That’s why understanding this rule at the system level is critical for compliance and reputational safety.
I’m listing down the key exposure points next so you can see where your system may be at risk.
Many processors auto-retry unless you manually disable them. A lender may think one attempt occurred. The core processor may have fired two more. During an exam, that gap becomes a violation.
R01 (NSF) gives you options. R07 (revoked authorization) does not. Retrying an R07 without new written authorization is one of the fastest ways to trigger an enforcement action. This is where most lenders lose control, because staff fall back on judgment rather than on rules.
A borrower might tell a collector, “Go ahead and try again.” That means nothing legally. Examiners want timestamped written consent tied to the specific loan and the specific payment.
CFPB teams ask for a clear timeline:
Most lenders cannot produce this without piecing together logs from processors, CRM notes, collections emails, and spreadsheets. That fragmentation is the compliance risk.
A single ‘unauthorized withdrawal’ complaint is enough to trigger a deeper look. [Source]
Your intent doesn’t matter. Your system controls do.
This workflow isn’t a suggestion. It’s the minimum examiners expect.
The halt must be automatic. Your staff should not control this.
Explain the failure reason, required next steps, and what authorization is needed. This notice becomes part of your audit trail.
Timestamp it. Store it. Link it to the specific loan and payment schedule.
New schedule. New permissions. Logged automatically.
A compliant lender relies on systems that behave like policy says they should. Here’s what that looks like.
What lenders need:
All loan terms, borrower notes, communications, and payment history are stored in one place.
How Bryt supports this:
This removes the recurring uncertainty around where key information is stored and strengthens exam readiness.
What lenders need:
Clean payment histories, consolidated statements, and financial reports are ready for examiners without having to rebuild them in Excel.
How Bryt supports this:
This shifts compliance from assumption to evidence by producing clear, examiner-ready reports.
What lenders need:
Consistent handling of failed payments, notices, interest accruals, fee applications, and schedule adjustments.
How Bryt supports this:
This reduces the operational risk created by manual checks or inconsistent team practices.
What lenders need:
Flexible ways to restructure a payment schedule once account information is updated or a new plan is authorized.
How Bryt supports this:
This keeps loans performing instead of spiraling into charge-offs.
Examiners care about patterns more than one-off events. Here’s what you should monitor:
Nacha flags rates above 0.5%. The network average is around 0.03%. High unauthorized returns mean weak controls or bad account data.
Look at R01, R07, R03, and R10. The mix tells you whether your risk is operational, informational, or authorization-related.
Clusters of failures indicate process issues, not borrower issues.
How long does it take to fix account details, get a new authorization, or reset a schedule? Bryt’s Custom Reporting Module gives you the data to build these dashboards without a developer sprint.
The CFPB’s two-strike rule is simple. The messy part is everything that happens inside your systems after a failed ACH.
A modern loan management system like Bryt won’t write your policies for you. What it does is make those policies enforceable across every loan, every processor, and every team member, without relying on spreadsheets.
Two failed attempts should never put your institution at risk. Disconnected systems and manual processes do.
If you’re not confident you could walk an examiner through your failed ACH workflows today, it’s a good sign your servicing infrastructure needs attention.
Start by mapping your current gaps, then see how a platform like Bryt can replace ad hoc fixes with a system that’s exam-ready by design.
When you’re ready to see how that looks in your own portfolio, schedule a short demo with the Bryt team and pressure-test it against your real-world scenarios.
© 2026 Bryt Software LLC. All Rights Reserved.