Beyond the Block: Why Your Modesto Business Needs an Operational Strategy for ACH Filters, Not Just a Bank Setting — Datapath managed IT, cybersecurity, and compliance
Back to Blog
GENERAL Insights Published July 5, 2026 Updated July 5, 2026 5 min read

Beyond the Block: Why Your Modesto Business Needs an Operational Strategy for ACH Filters, Not Just a Bank Setting

An ACH filter is a security control that blocks unauthorized debits from your corporate accounts. For mid-market firms, the value isn't in the 'filter'.

Nathan La Fleche, Director of Strategic Partnerships at Datapath

By

Nathan La Fleche

Director of Strategic Partnerships

CaliforniaCentral Valleycompliance

Quick summary

  • An ACH filter is a security control that blocks unauthorized debits from your corporate accounts. For mid-market firms, the value isn't in the 'filter' itself, but in the operational workflow used to whitelist legitimate vendors without stalling your treasury operations.
  • An ACH filter is a security control that blocks unauthorized debits from your corporate accounts.
  • For mid market firms, the value isn't in the 'filter' itself, but in the operational workflow used to whitelist legitimate vendors without stalling your treasury operations.

An ACH filter is a security control that blocks unauthorized debits from your corporate accounts. For mid-market firms, the value isn’t in the ‘filter’ itself, but in the operational workflow used to whitelist legitimate vendors without stalling your treasury operations.

It started with a Tuesday morning phone call to a CFO at a mid-market firm in Modesto, CA. The company had a $12,000 unauthorized ACH pull from a vendor that looked almost—but not quite—like their primary logistics provider. The “pull” had bypassed their basic security because the bank’s default settings were wide open. The CFO had a “filter” enabled, but it was a generic one that hadn’t been audited since the company’s last office move three years ago.

This is the a typical “commodity” failure. Most MSPs will tell you to just “turn on the filter” at your bank and call it a day. But in the mid-market space, a filter without a management workflow is either a security hole or a business bottleneck. If the filter is too permissive, you’re still vulnerable to Business Email Compromise (BEC). If it’s too restrictive, you’ll find your critical supply chain payments blocked, leading to late fees and strained vendor relationships.

The Technical Gap: Block vs. Filter vs. Positive Pay

When we sit down with finance teams in financial services and mid-market firms, we find a significant amount of confusion regarding the actual tools provided by treasury management. The term “ACH Filter” is often used as a catch-all, but there are three distinct levels of control. Using the wrong one for your transaction volume creates unnecessary friction.

An ACH Block is the nuclear option. It stops all ACH debits from hitting the account. This is ideal for dormant accounts or accounts that only ever send money and never receive pulls. However, for a growing Modesto business, a total block is usually impractical.

An ACH Filter (or Whitelist) allows you to specify which Company IDs are authorized to pull funds. If a request comes from an ID not on your list, the bank rejects it. The weakness here is maintenance. When a vendor changes their banking partner or updates their ID, your payment fails. Without a dedicated process to update these IDs, the filter becomes a liability.

ACH Positive Pay is the most granular. It requires the business to upload a file of expected payments, or manually approve each transaction through a portal. While the most secure, the operational overhead is massive for a 100-person company without a dedicated treasury department.

Choosing the Right Control Level

FeatureACH BlockACH FilterACH Positive Pay
ScopeAll or nothing (all debits blocked)Whitelist/Blacklist specific IDsTransaction-by-transaction approval
Best FitDormant accounts / Low-activity accountsMid-market firms with steady vendorsHigh-volume enterprises
Operational EffortLowMedium (requires list maintenance)High (requires daily review)
Primary RiskLegitimate payments failList obsolescence / “Stale” IDsHuman error during manual approval

The “Operational Gap” and the Risk of the Stale Whitelist

Turning on an ACH filter is a five-minute task in a banking portal. Maintaining that filter is a lifelong commitment. This is where the “commodity IT” approach fails. A generic MSP might help you set up the portal, but they won’t help you build the workflow to manage the IDs inside it.

Consider the friction: A new vendor is onboarded. The accounts payable (AP) clerk enters the payment. The bank rejects the pull because the vendor’s ID isn’t on the filter. The vendor sends a late notice. The CFO spends thirty minutes on the phone with the bank to add the ID. This cycle, repeated across twenty vendors, creates a culture where the AP team eventually asks the CFO to “just open up the filter” to make things easier.

Once you “open up the filter” to reduce friction, you have effectively deleted your security control. You are now back to square one, hoping that your bank’s generic fraud detection catches a $12,000 fraudulent pull before it clears.

Building a Secure Treasury Workflow

To move from “commodity security” to an actual outcome of accountability, we implement a specific operational workflow. Security is not a setting; it is a process. For our clients, we recommend a a dual-authorization framework for all treasury changes. This ensures that no single person—whether a compromised employee or a social engineer—can unilaterally change who is allowed to pull money from your accounts.

We suggest the following operational steps for managing your ACH filters:

  • Authorized Originator Mapping: Document every single vendor that has a “pull” agreement with your firm, including their verified Company IDs.
  • Multi-Factor Authentication (MFA) for Portal Access: Ensure the banking portal used to manage the filter is protected by hardware-based MFA, not just SMS codes.
  • Quarterly Whitelist Audits: Every 90 days, review the list of allowed IDs. Remove any vendors you no longer do business with to shrink your attack surface.
  • Dual-Authorization for Additions: Require two signatures (or digital approvals) before a new Company ID is added to the whitelist.
  • Incident Response Integration: Define exactly what happens when a legitimate payment is blocked. Who is notified? How is the vendor contacted? How is the ID verified?

Mapping ACH Filters to the GLBA Safeguards Rule

For many of our clients in finance and banking, these controls aren’t just “best practices”—they are regulatory requirements. The FTC Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards.

An unmanaged ACH filter is a failure of “technical safeguards.” If you are simply relying on a bank’s default setting without a documented process for auditing and updating those filters, you are not meeting the spirit of the Safeguards Rule. The rule mandates a proactive approach to identifying and managing risks. A stale whitelist is a known risk that can be exploited via Business Email Compromise (BEC) if the attacker manages to spoof a trusted vendor’s ID or find a gap in your filter settings.

This is why we emphasize the role of a vCISO (Virtual Chief Information Security Officer). A vCISO doesn’t just look at your firewall; they look at your treasury workflow. They ask: “Who has the authority to change the ACH filter? How is that change documented? How do we know the current whitelist is accurate?”

The Datapath Approach: Outcomes Over Settings

Most businesses don’t actually want an “ACH Filter”; they want the outcome of financial integrity. They want to know that their money is safe, their vendors are paid on time, and their compliance audits will pass without a hitch.

At Datapath, we don’t just “manage your IT.” We integrate your cybersecurity with your business operations. Whether we are helping you navigate GLBA Safeguards compliance or hardening your network for a mid-market firm in the Central Valley, we focus on the intersection of technical controls and human workflows.

If your current MSP has given you a checklist of “settings to turn on” but hasn’t helped you design the workflow to manage them, you have a gap in your security posture. The difference between a secure business and a vulnerable one isn’t the tool—it’s the discipline of the process.

Ready to move beyond the generic “best practices” and build a treasury workflow that actually protects your bottom line? Book a consultation with our team to see how we can align your technical controls with your operational reality.


Need a partner for this work? Explore Datapath’s managed IT services or contact our team.

See also

Disclaimer: This blog is intended for marketing purposes only, and nothing presented in here is contractually binding or necessarily the final opinion of the authors.

Need a practical roadmap for regulated-industry IT performance?

Datapath can benchmark your current model and define the next 90 days of high-impact improvements.

Book a Consultation