Platform Due Diligence Onboarding Requirements and Checklist
Key Focus Areas for Platform Software
Authorization Compliance: Ensure your software captures proper customer consent for ACH transactions per Nacha Rules, with clear authorization language and proper authentication. [ACH Auth Guide]
Privacy Compliance: Maintain transparent privacy practices and secure data handling, especially when sharing customer information with Straddle for payment processing.
Record Retention: Implement systems to maintain authorization and transaction records per regulatory requirements.
Required Documentation (Summary)
Terms of Service (customer facing)
Privacy Policy
InfoSec Policy
Data Security Policy
Data Retention Policy
Proof of Nacha compliant ACH authorization processes
This can be demonstrated through screenshots of portal processes, walkthroughs, data logs, etc.
Required Documentation
[ ] Consumer-facing Terms of Service:
Clear fee disclosure (all fees charged to end customers)
Refund and cancellation policies
Dispute resolution process
Contact information for customer support
[ ] Privacy Policy:
Disclosure that customer data is shared with Straddle for payment processing
Process for data subject requests (access, deletion, correction)
Contact information for privacy inquiries
Compliance with applicable state privacy laws
[ ] Information Security Policy:
Employee access controls for customer data
Data encryption requirements
Incident response procedures
Third-party data sharing protocols
[ ] Data Security Policy:
Employee access controls for customer data
Data encryption requirements (in transit and at rest)
Incident response procedures
Third-party data sharing protocols
Network security controls
Regular security assessments/audits
[ ] Data Retention Policy specifying:
Retention periods for customer data (minimum 2 years for payment records)
Data deletion procedures after retention period
[ ] Data Retention
Authorization Storage: Ability to reproduce customer payment authorizations
Transaction Audit Trail: Complete payment processing records
Retention Period: Minimum 2 years for all payment-related records
Note: If policies are combined into MSA/T&C, please provide full documentation
ACH Authorization Capture
Digital Capture (Most Platform Partners)
SEC Code WEB - Digital Authorization Process that captures:
Clear, legible consent language for ACH debits
Transaction-specific details
Client/account information: full name and bank account information (at least last 4 digits)
IP address
Authorization amount
Payment timing/frequency
Method to revoke authorization (how customers can cancel authorization)
Authentication Requirements:
Customer login/account verification
Digital signature/electronic consent method
Authentication must occur simultaneously with authorization
Signed Agreements (B2B or Recurring Payments)
SEC Code CCD - Signed/Written Agreement including appropriate authorization language binding corporate entities to the Rules
SEC Code PPD - Signed/Written Agreement between business & consumer with appropriate authorization language
Standing Authorization Framework for recurring payments
Common Issues to Avoid
❌ Insufficient Authorization Language: Consent that doesn't clearly authorize ACH debits per Nacha rules [ACH Auth Guide]
❌ Improper use of Authorization Types: Ensure payments are being submitted with the proper SEC code based on how authorization was obtained. B2B payments should use the CCD SEC code to reduce return risk from 60 days to 2 days
❌ Missing Authentication: No way to verify customer identity during authorization
❌ Inadequate Record Keeping: Cannot reproduce customer authorizations upon request
❌ Unclear Fee Disclosure: Customers unaware of all charges
❌ Missing Privacy Disclosures: No mention of data sharing with payment processor
All documentation must be current, accurately reflect actual practices, and be readily available for regulatory examination.