Our bank is a Receiving Bank for ACH. What is our liabiity as to paying the ACH if we do not have authorization on file? Thanks for answer or information on where to look for answer.

you are not required to have an authorization on file as the RDFI. The originator is required to keep the authorization, and the ODFI must furnsih it if and when requested.

Then it is the customer's resposibiity to notify bank if an ACH is paid that was not/is not authorized?

That's correct. If they tell you it's unauthorized, you would have them complete a WSUPP and return it as "R10- Customer Advises Not Authorized" for consumer SEC transactions; "R29 Corporate Customer advises not Authorised" for corporate SEC transactions.

But there are some return timeframes involved. On consumer entries, they must be returned by the 60th day after settlement. If a customer notifies you after the ACH return deadline, you may still have some liability under Reg E. The timeframes are much shorter on Corporate entries. Unauthorized entries must be returned by the 2nd business day after settlement. For this reason, several RDFIs have filters which only allow authorized entries to post. Even after the return deadlines, there are still warranties in place from the Originating Financial Institution concerning authorizations, so you may be able to seek other remedies.

For more information on the warranties, see pages OG 44-46 of the 2009 NACHA Rulebook. I would also suggest checking with your regional payment association for additional training. We belong to WESPAY, and they offer both archived and live seminar broadcasts on ACH Basics and RDFI Risk Management.