Microdeposit verification is one of the oldest and most reliable methods for confirming that a customer's bank account is real and accessible before initiating ACH payments, payouts, or direct debits. It works by sending two tiny, randomized deposits to the provided account and asking the user to confirm the exact values — a simple but effective proof of access.
Despite the rise of faster alternatives, microdeposits remain a foundational tool in the payment stack. Understanding how they work, when to use them, and how to implement them correctly is essential for any merchant or developer handling bank-to-bank payment flows.
How Microdeposit Works
The microdeposit process follows a well-defined sequence: collect bank credentials, send test funds, verify the response. Each step is straightforward, but the implementation details — timing, retry logic, expiry windows — determine whether the flow succeeds or creates friction that drives users to abandon the verification entirely.
Collect Bank Account Details
The user provides their bank routing number and account number, typically through a form on the merchant's checkout or onboarding flow. No online banking login is required at this stage — just the two numbers printed on a check or found in the user's banking app.
Initiate Two Small ACH Deposits
The payment platform submits two separate ACH credit entries to the user's bank account. Each deposit carries a randomized amount between $0.01 and $0.10. The transactions typically appear within 1–3 business days, labeled with a recognizable descriptor such as the company name or "VERIFICATION."
User Checks Their Bank Statement
The user logs into their bank account — or reviews their statement — to find the two deposit amounts. The merchant's platform should send a notification email or in-app prompt with instructions at the moment the deposits are initiated, so the user knows what to look for and when.
User Enters the Deposit Amounts
The user returns to the merchant's platform and enters the two deposit values in the order they appear on their statement. A verification window — commonly 10 days — applies. Entering the wrong amounts typically triggers a limited number of retries before the attempt is locked out.
System Validates and Activates the Account
The platform compares the submitted values against the amounts it sent. On a match, the account is marked as verified and ACH debits, payouts, or transfers are enabled. On a mismatch or expiry, the verification fails and the user must restart the process from step one.
Why Microdeposit Matters
Bank account verification is not optional for businesses operating ACH payment flows — it is a regulatory and risk management requirement. Sending ACH debits to unverified accounts creates exposure to unauthorized return codes, fraud losses, and potential NACHA rule violations that can result in suspension from the ACH network.
The scale of ACH underscores why verification matters: the ACH Network processed over 31.5 billion payments totaling more than $80 trillion in 2023, according to Nacha's annual report. Even a fractional error or fraud rate across that volume translates to significant losses. For context, the Association for Financial Professionals found in its 2024 Payments Fraud Survey that 80% of organizations experienced payments fraud attempts in 2023, with ACH debits and credits among the most targeted payment types.
Verification Completion Rates
Payment research consistently shows microdeposit flows see completion rates of 70–80%, compared to 85–95% for instant account verification methods. The gap reflects the 1–3 day wait and manual re-entry step. Optimizing reminder timing and simplifying the amount-entry UI can recover 5–10 percentage points of that gap.
For platforms running marketplace payouts, lending disbursements, or subscription billing, an unverified account that slips through is not just a failed transaction — it is a potential return fee, a fraud vector, and a customer service incident. Microdeposits are a cheap, low-dependency way to prevent all three.
Microdeposit vs. Instant Account Verification
Instant account verification has become the default recommendation for consumer-facing flows, but microdeposits continue to serve use cases where login-based access is unavailable, undesirable, or architecturally unsuitable. The right choice depends on your user base, timeline, and risk tolerance.
| Feature | Microdeposit | Instant Account Verification |
|---|---|---|
| Verification speed | 1–3 business days | Seconds |
| US bank coverage | All US banks | ~12,000+ via data aggregators |
| User friction | High — manual amount entry | Low — bank login flow |
| Credentials required | Routing + account number only | Online banking username/password |
| Cost per attempt | Low ($0.01–$0.10 in deposits) | Higher (per-call API fees) |
| Fraud resistance | Moderate | Moderate to high |
| International support | US ACH only | Growing via open banking |
| Audit trail | Deposit confirmation record | Read-only data snapshot |
| Works without internet banking | Yes | No |
Microdeposits win on coverage and cost. Instant verification wins on speed and conversion. Many platforms offer both, defaulting to instant and falling back to microdeposits for users whose banks are not supported or who decline to share login credentials.
Types of Microdeposit
Not all microdeposit implementations are identical. Variation exists in the number of deposits sent, the timing mechanism, and how funds are recovered after verification.
Standard dual microdeposit is the most common format: two randomized deposits sent simultaneously via ACH, both of which the user must confirm. This is the method used by Stripe, Dwolla, and most ACH origination APIs. The dual-amount design makes guessing statistically impractical.
Single microdeposit sends one deposit, reducing the verification surface to a single value. Some platforms adopt this to simplify the user experience, accepting a marginally higher guessing risk in exchange for a simpler entry form. Less common than dual-deposit but used in some white-label bank account products.
Same-day microdeposit uses Same Day ACH to deliver the test deposits within hours rather than 1–3 business days. This is increasingly available through major ACH originators and significantly improves completion rates by closing the gap between deposit initiation and user re-engagement. The cost per transaction is higher than standard ACH.
Penny test via wire or RTP — in some B2B or enterprise contexts, a sub-dollar amount is sent via wire or Real-Time Payments rather than ACH. This delivers the verification amount in seconds, effectively creating an instant microdeposit. Uncommon in consumer flows due to cost and infrastructure overhead.
Best Practices
Implementing microdeposit verification correctly requires attention to both the business logic and the user experience. Poorly timed notifications, unclear instructions, and inadequate error handling are the primary reasons verification flows fail — not the microdeposit mechanism itself.
For Merchants
- Set clear expectations at enrollment. Tell users exactly what to expect: two small deposits, arriving within 1–3 business days, with a 10-day window to verify. A progress indicator or email drip sequence reduces confusion and support tickets.
- Send a timed reminder. Email or SMS the user at deposit arrival — typically 24–48 hours after initiation — with a direct link to the verification screen. This single touchpoint is the highest-leverage optimization for completion rate.
- Define a retry and expiry policy. Communicate clearly how many attempts are allowed and what happens when the window closes. A graceful expiry flow that restarts verification without losing the user's other data significantly reduces abandonment.
- Reconcile or withdraw the deposits. Do not leave unclaimed microdeposits sitting permanently. Either auto-withdraw after verification or write off the nominal amounts systematically to keep your reconciliation clean.
For Developers
- Handle ACH return codes immediately. Monitor for return codes R03 (no account/unable to locate), R04 (invalid account number), and R10 (unauthorized debit). A returned microdeposit is a definitive signal — do not retry on R03 or R04 without collecting corrected account details from the user.
- Encrypt and tokenize stored account numbers. Routing and account numbers collected during the microdeposit flow must be stored with field-level encryption. Many ACH APIs issue a bank account token on initial submission so you never store raw credentials in your own database.
- Implement rate limiting on the amount-entry endpoint. Without rate limiting, an attacker who obtained an account number could brute-force the deposit amounts. Lock the attempt after 3–5 failed submissions and require re-enrollment.
- Use idempotency keys on deposit initiation. Network timeouts during ACH submission can cause duplicate deposits if retried naively. Always pass an idempotency key to your ACH API to prevent double-sending.
- Log verification outcomes for audit. Retain a timestamped record of when verification was initiated, when amounts were submitted, and whether they matched. This log is your evidence of due diligence in the event of a dispute or NACHA audit.
Common Mistakes
Microdeposit flows fail most often because of predictable implementation gaps that are straightforward to fix once identified.
Sending deposits without a notification. Many teams initiate the deposits and expect users to check their bank account unprompted. Without an email or SMS with clear instructions, completion rates drop sharply. The deposit appears as a small, unrecognized credit that most users ignore.
No expiry communication. If the 10-day verification window closes and the account is silently deactivated, users who try to pay days later encounter a confusing error with no obvious path forward. Always email an expiry warning 48 hours before the window closes.
Accepting any two numbers as "close enough." Some implementations apply fuzzy matching or rounding to the amount-entry validation. This defeats the security purpose of the microdeposit entirely. Validation must be exact — $0.03 is not $0.04.
Not accounting for direct debit timing differences. Developers who build against a sandbox environment with instant deposit simulation often fail to account for real-world ACH settlement timing. Users in production see delays that were invisible in testing, leading to support escalations and abandoned verifications.
Ignoring pre-notification (prenote) requirements. Some ACH origination agreements require a zero-dollar prenote to be sent and honored before any credit or debit entries. Skipping prenotes when required by your bank agreement can put your ACH origination status at risk.
Microdeposit and Tagada
Tagada's payment orchestration layer sits above the underlying ACH processors and bank verification providers, enabling merchants to route verification flows to the optimal provider based on coverage, cost, and fallback logic — without rewriting integration code each time.
When instant account verification fails — due to unsupported bank, user refusal to share credentials, or API downtime — Tagada can automatically fall back to a microdeposit flow with the same merchant-facing API contract. This means your checkout never hard-fails on account verification; it degrades gracefully while preserving conversion.
For platforms managing payouts to a large contractor or seller base, Tagada's orchestration can apply verification rules by payout tier — routing high-value recipients through microdeposit verification for its audit trail, and low-value recipients through faster instant methods. This risk-tiered approach balances security rigor with the frictionless experience that conversion-sensitive flows demand.