Collect the user's bank routing number and account number, then initiate two small ACH credit micro-deposits (typically between $0.01 and $0.99 each) to the account; store the amounts against the user's account record.
Wait for the deposits to settle (typically 1–3 business days for standard ACH); notify the user via email or in-app prompt to check their bank statement.
Present a verification form where the user enters the two deposit amounts; compare against the stored amounts with a constant-time comparison to prevent timing attacks.
Implement attempt limiting — lock the verification after 3–5 failed attempts and require the user to restart with a new set of deposits to prevent brute-force guessing of the 2-cent range.
On successful verification, mark the bank account as verified in your database and withdraw the micro-deposit amounts via ACH debit or absorb them as a cost of verification.
Set an expiry window (e.g., 10 days) on pending verifications; if the user does not verify within the window, mark the bank account as expired and require re-enrollment.
Known gotchas
Some users' banks aggregate or round micro-deposits in their transaction history display, making it hard for users to find the exact amounts; provide clear instructions and consider offering an alternative verification method (instant verification via Plaid or similar).
Micro-deposits are ACH credits, which means they can be returned (e.g., R03 no account, R04 invalid account number) within the normal return window; treat a return as a verification failure and notify the user.
Nacha rules and bank policies may restrict the frequency and volume of micro-deposit origination from a single ODFI; if you are doing high volumes, confirm with your sponsor bank that your usage is within acceptable limits.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp