ACH Fraud Monitoring: How to Build a Risk-Based Program (Nacha 2026 Implementation Guide)
The Nacha 2026 risk management rules are clear about what they require: documented, risk-based processes and procedures to identify ACH entries that are unauthorized or authorized under false pretenses, reviewed at least annually. Every Phase 2 originator — every non-consumer business that sends payroll, vendor payments, or disbursements via ACH — needs that program in place by Monday, June 22, 2026.
What the rule does not tell you is how to build it. And that is the gap most teams are sitting in right now.
Trustpair's 2026 Fraud Report makes the size of the problem hard to miss. 71% of US companies say AI-powered fraud attempts are accelerating. Only 32% of companies validate vendor bank account details continuously or in real time. 13% have no validation process at all. And 45% were unaware of the Nacha 2026 deadlines as recently as January.
The pattern is consistent across every survey: organisations have a fraud monitoring policy, but the policy is not a program. A policy is a paragraph in a compliance manual. A program is a documented assessment, a set of controls aligned to that assessment, an escalation procedure, an audit trail, and an annual review. Examiners will ask to see all five.
This guide walks you through how to build each one. If you have already read MonitorPay's earlier piece on what Nacha 2026 actually requires, this article is the implementation companion to it.
The Five Components Every Compliant Program Must Have
Nacha is technology-neutral. It does not mandate a specific tool, vendor, or threshold. But it is not flexibility-neutral. Every compliant program contains the same five components. Skip any of them and the program will not survive an examiner review.
| # | Component | What it answers | Common gap |
|---|---|---|---|
| 1 | Documented risk assessment | Where ACH fraud risk lives in our specific payment flows | Generic templates that don't reflect actual flows |
| 2 | Monitoring controls by payment type | What we look for, and what triggers a review | Same controls applied to all payment types regardless of risk |
| 3 | Exception handling and escalation | What happens when something is flagged | Informal "the team handles it" with no named owner |
| 4 | Annual review with revision log | How we keep the program current | A policy document with no date, no author, no revision history |
| 5 | Independent account validation | How we know account information is real before payment | Manual email or phone verification — defeated by VEC |
The rest of this article is one section per component, in build order.
Component 1 — The Risk Assessment (with Sample Table)
Every compliant program starts here. The risk assessment is the document an examiner will ask for first, and it is the foundation everything else points back to. A monitoring control is only defensible if it is tied to a specific risk identified in the assessment.
A risk assessment is not a generic compliance template. It is a written analysis of your payment flows, scored on inherent risk, with the controls that mitigate each one named explicitly.
The four-step framework
Step 1 — Map every ACH payment flow. List every flow your organisation originates: payroll credits, vendor payments, refunds, disbursements, marketplace payouts, intercompany transfers, tax payments. Treat each one as a separate row. If you do not know all your flows, you cannot risk-assess them.
Step 2 — Score each flow on inherent risk. Use four factors:
- Volume — how many transactions per month
- Average transaction size — small recurring or large one-time
- Bank detail change rate — how often beneficiary banking information is updated
- Authorisation strength — how the change request is received and verified today
Score each on a low / medium / high scale. The combined score gives you the inherent risk for that flow.
Step 3 — Identify the False Pretenses entry points. For each flow, name the specific attack pattern most likely to land. Vendor email compromise on a bank detail change? Payroll redirection through HR portal? Fake new vendor onboarding? Be specific. "Payment fraud" is not a risk — it is a category.
Step 4 — Document the controls that mitigate each risk. Name the control and the owner. Generic descriptions ("we have controls") will not survive scrutiny.
Sample risk assessment table
This is what a defensible row looks like. Build one for every payment flow you originate.
| Payment flow | Volume / month | Inherent risk | Primary False Pretenses risk | Controls in place | Owner |
|---|---|---|---|---|---|
| Payroll credits (PPD) | ~450 | Medium | Direct deposit redirection via HR portal change | HR portal MFA; account ownership verification on every change; 24-hr cooling-off before first deposit to new account | Payroll Manager |
| Vendor payments (CCD) | ~1,200 | High | Vendor email compromise + bank detail change request | Out-of-band callback to known number; account ownership API on every new account or change; dual approval for changes above threshold | AP Manager |
| Refunds (PPD/CCD) | ~800 | Low | Refund to fraudulent account submitted with original transaction | Refund only to original payment account; manual review for any deviation | Finance Operations |
| One-time disbursements | ~30 | High | Fake recipient submitted with high-value request | Independent entity verification (EIN match); account ownership API; CFO approval over $50k | Treasury |
This is a sample structure, not your assessment. Yours must reflect your actual flows, volumes, and controls. The point is the format: every row is a risk you can defend to an examiner.
The test: hand the document to your CFO. Could they explain in one sentence why each control mitigates each risk? If not, the assessment is not done.
Component 2 — Monitoring Controls by Payment Type
Risk-based means controls scale with risk — heavier scrutiny on higher-risk flows, lighter checks on routine low-risk activity. Nacha is explicit: a risk-based approach should not conclude that no monitoring is necessary at all. Even on lower-risk flows, some level of monitoring is required.
The four payment types below cover most of what non-consumer originators send. Each one gets a minimum control tier and a stronger control tier. Pick based on your volume and inherent risk score from Component 1.
Payroll credits
Minimum control: require multi-factor authentication on the HR portal where employees update direct deposit details. Apply a 24-hour hold and email confirmation to the prior account before any first deposit to a new account.
Stronger control: independent account ownership verification on every direct deposit change, matching the new account number against the employee's name in real time. This catches payroll redirection fraud before the payroll run, not after.
Vendor payments
Highest-risk flow for most originators. Vendor email compromise routinely defeats manual checks because the fraudster controls the supplier's mailbox.
Minimum control: out-of-band callback to a known number from your vendor master file (not from the change request itself) for every bank detail change. Dual approval above a threshold.
Stronger control: real-time account ownership verification on every new vendor and every bank detail change, regardless of amount. The verification is independent of the email channel that the fraudster has compromised. This is the control specifically designed to defeat the four False Pretenses attack patterns Nacha names.
Marketplace and platform payouts
Different risk profile because volume is higher and onboarding happens at scale. The threat is less about the existing supplier base and more about new accounts entering the system.
Minimum control: identity verification at signup; account validation before first payout; velocity thresholds that flag unusual inflow / outflow patterns.
Stronger control: registry-sourced entity verification (does this business actually exist?) plus account ownership verification (does this account belong to the entity that signed up?) at the point of onboarding. For US payouts, EIN verification adds entity-level confirmation. See MonitorPay's KYB guide for marketplaces for the full workflow.
Refunds and disbursements
Often overlooked, but a real attack vector — particularly when refunds can be redirected to a different account than the original payment.
Minimum control: refund only to the original payment account. Manual review and dual approval for any deviation.
Stronger control: account ownership verification on the refund destination if it differs from the original; threshold rules that escalate any disbursement above a defined value to treasury or CFO approval.
Component 3 — Exception Handling and Escalation
This is where most programs fail an examiner review. The monitoring catches an anomaly, and then nothing is documented about what happens next. "Someone in finance deals with it" is not a procedure.
A defensible exception-handling procedure has four named elements:
- The reviewer. A named role — not a person, not "the team." If your AP Manager is on leave, who reviews? That is part of the procedure.
- The escalation path. Level 1: AP / Payroll. Level 2: Finance Manager or Controller. Level 3: CFO and ODFI contact. Each level has a named owner and a defined trigger.
- The decision options. What can the reviewer do? Hold the payment? Pause processing on the entire batch? Contact the supplier through an independently sourced number? Contact the ODFI? Each option must be written down.
- The log. Every flagged transaction, decision, and outcome must be recorded — date, time, reviewer, action taken, resolution. This is your audit trail.
Sample escalation matrix
| Trigger | Level 1 owner | Level 2 owner | ODFI contact |
|---|---|---|---|
| Account ownership verification returns "no match" | AP Manager | Controller | If pattern detected |
| Vendor bank detail change above $25,000 | AP Manager | Controller | No (resolve internally) |
| Single-payment disbursement above $100,000 | Treasurer | CFO | If suspicious |
| Multiple new accounts added by same employee in 48 hours | Controller | CFO + Internal Audit | Yes — possible insider fraud |
| Direct deposit change one cycle before payday | Payroll Manager | HR Director | No (resolve internally) |
The matrix is not the policy. The policy explains what each level does, how decisions are recorded, and how the ODFI is contacted when needed. The matrix is what gets pinned next to the AP Manager's screen.
The control your program reports against
A risk-based program is only as strong as the data underneath it. MonitorPay's Account Ownership Verification API is the verification layer that makes Components 2, 3, and 5 of your program defensible — independent confirmation that a bank account is active and owned by the named entity, with an audit trail attached to every check. Used by 289,000+ businesses across 190+ countries.
See how it integrates into your workflow →Component 4 — The Annual Review Process
Nacha is explicit on this: processes and procedures must be reviewed at least annually, with documentation. Most current articles mention the requirement and stop there. The reason it matters is that the review log is the single artifact that proves your program is current. Without it, even a strong policy looks stale.
What the annual review must contain
- Date of the review — not "annual review 2026," a specific date
- Author — named individual who conducted the review
- What changed since the prior review — new payment flows, new threats, new controls added or removed
- What was tested — evidence that the controls were exercised, not just documented
- Findings and remediation — gaps identified, what was changed in response
- Next review date — calendared, owned
Sample annual review log entry
| Field | Entry |
|---|---|
| Review date | April 14, 2026 |
| Reviewer | J. Smith, Controller |
| Scope | Full ACH fraud monitoring program — payroll, vendor, refund, disbursement flows |
| Changes since prior review | Added marketplace payout flow (March 2026); replaced manual callback with account ownership API on vendor change requests; updated escalation matrix |
| Controls tested | Sampled 30 vendor change requests Q1 2026 — all routed through account ownership verification; reviewed 12 payroll changes — all matched HR portal MFA + 24-hr cooling-off |
| Findings | Two vendor changes pre-API still in queue — closed and rerun. Refund flow lacks documented threshold for review — added. |
| Remediation | Refund threshold added at $5,000. AP Manager training scheduled May 2026. |
| Next review date | April 13, 2027 |
Build the annual review into your compliance calendar. The first review can be the same document you use to certify compliance for June 22 — but every subsequent year must add a new entry. A policy with no revision history will not satisfy the rule.
Component 5 — Account Validation as the Operational Backbone
The False Pretenses attacks Nacha names — vendor email compromise, vendor bank detail change fraud, payroll redirection, fake new vendor onboarding — all succeed for the same reason. The organisation accepts bank account information without independently verifying that the account belongs to the entity claiming to own it.
Independent account validation is the control that closes that gap. It is also the control that produces the audit trail your annual review needs.
How the three validation methods compare against the False Pretenses test
| Method | How it works | Speed | Confirms ownership? | Catches False Pretenses? |
|---|---|---|---|---|
| Micro-deposits | Small test deposits sent; recipient confirms exact amounts | 1–3 business days | Partial — confirms account access, not legal ownership | No — fraudster who controls the account confirms perfectly |
| Pre-notifications | Zero-dollar entry sent ahead of first live payment | 3 business days | No — confirms account format and acceptance only | No — does not check name or ownership |
| Real-time account ownership API ★ | Live check that account is active, name matches, entity match against independent banking data | Under one second | Yes | Yes — designed for this requirement |
For most non-consumer originators, the path forward is layered. Use account ownership verification at the two highest-risk events — vendor onboarding and bank detail change — where the False Pretenses risk is concentrated. Use lower-cost methods (pre-notes, micro-deposits) where they fit the risk profile, but do not rely on them alone for high-value flows or change requests.
The integration is operational, not strategic. Two API call points cover most of the risk:
- At point of vendor or employee onboarding — before the bank account enters the ERP
- At point of bank detail change — every time, regardless of who submits or how
Both points produce an auditable record — timestamp, query, response, matched entity. That record is what satisfies the documentation requirement Nacha will check for in 2027 and every year after.
For a deeper view on why one-time verification at onboarding is not sufficient, see MonitorPay's analysis of continuous monitoring for payment accounts.
The 60-Day Build Calendar
If you are starting from zero today, this is the path to examiner-ready by June 22. The calendar assumes one named compliance owner working with AP, payroll, treasury, and IT. Compress where you can; do not skip steps.
| Week | Workstream | Deliverable |
|---|---|---|
| 1 | Map all ACH payment flows | Inventory: every flow, volume, current controls, current owner |
| 2 | Conduct risk assessment | Completed risk assessment table — every flow scored, every False Pretenses risk named |
| 3 | Define monitoring controls by payment type | Control set per flow — minimum + stronger tier where risk demands it |
| 4 | Build escalation matrix | Named owners at each level; trigger thresholds defined |
| 5 | Procure / configure account validation | Account ownership API integrated at vendor onboarding and bank-change touchpoints; test transactions logged |
| 6 | Document exception-handling procedure | Written procedure — reviewer roles, decision options, log format |
| 7 | Train AP, payroll, and treasury | Training session held; attendance logged; refresher cadence calendared |
| 8 | Conduct first annual review | Review log entry — date, author, scope, controls tested, findings |
| 9 | Internal audit walk-through | Internal audit reviews documentation; gaps remediated |
| 10 | Sign-off and ODFI confirmation | CFO sign-off on program; ODFI notified that program is in place |
Most teams underestimate weeks 5–7. Procurement and integration of an account validation provider takes longer than expected when it is treated as a budgeting question rather than a deadline-driven build. Start the procurement conversation in week 1, not week 5.
What Examiners Actually Look For
The difference between a program that scores Class 1 and one that triggers Class 3 is rarely the technology. It is the documentation. Examiners are not looking for the most sophisticated fraud monitoring platform on the market. They are looking for evidence that you have done four things:
- You can show them the risk assessment. Dated, signed, specific to your flows. Not a template downloaded from the internet.
- You can show them the controls aligned to that assessment. Each control points back to a risk in the assessment. Each control has an owner.
- You can show them the exception log. Real flagged events from the past year. What was flagged, who reviewed, what happened next, how it resolved.
- You can show them the annual review. Dated. Authored. With a list of changes since the prior review. With evidence that controls were tested.
The fastest way to fail is to present a polished policy document with no underlying activity. The fastest way to pass is the opposite — clear documentation of small ongoing decisions, all logged, all traceable.
Bank examiners are also being directed to treat weak ACH fraud programs as evidence of broader operational-risk and governance deficiencies — particularly for fintechs and financial institutions operating under FRB, OCC, or FDIC supervision. The exposure does not stop at Nacha.
Three ways to add account validation to your fraud monitoring program
MonitorPay supports each of the verification touchpoints in this guide — at the data layer, at the workflow layer, or as a one-off compliance project. Pick the one that matches where you are in the build.
- Bulk verification — upload your existing vendor master file or employee direct deposit list. Get a clean baseline before June 22. One-off, file-based, no integration required.
- API — embed account ownership verification at the moments that matter: onboarding, bank detail change, payment file pre-flight. Sub-second response. Audit trail built in.
- Online platform — manual lookup for occasional checks. AP teams that need to verify a one-off vendor change request without integrating anything.
Frequently Asked Questions
How long does it actually take to build a Nacha-compliant ACH fraud monitoring program?
Most non-consumer originators starting from zero can reach examiner-ready in 60 to 90 days with a single dedicated compliance owner working alongside AP, payroll, and IT. The risk assessment and policy documentation can be completed in two to three weeks. The slower step is procuring and integrating an account validation provider, which is why it should start in week 1 of the build rather than later. Larger organisations with multiple ACH origination flows or international footprint should budget closer to 90 days.
Do I need a separate risk assessment for each payment type, or one combined document?
One combined document with separate rows or sections for each payment flow is standard. The reason is that examiners want to see the relationships between flows — which controls apply across multiple flows, which are flow-specific. A single combined assessment with payroll, vendor payments, refunds, disbursements, and any other flow as separate rows is the cleanest format. What matters is that each flow is risk-scored independently, with named False Pretenses risks and named controls.
Who in my organisation should own the annual review?
The reviewer should be senior enough to make decisions about control changes, but operationally close enough to know what is actually happening. In most non-consumer originators, this is the Controller, the VP of Finance, or the head of internal audit. The CFO is too senior; the AP Manager is too operational. The reviewer must be named in the program documentation. If they leave the role, the program must be updated to name their replacement before the next review.
How is risk-based monitoring different for a fintech versus a corporate AP team?
Same five components, very different emphasis. A corporate AP team's highest-risk flow is vendor payments, with bank detail change fraud as the dominant threat. A fintech or marketplace's highest-risk flow is new account onboarding at scale, with mule patterns and synthetic identity fraud as the dominant threats. Both need account validation, but at different touchpoints — the AP team verifies on change requests; the fintech verifies on signup. A fintech also has TPSP / TPS responsibilities under Nacha, which extend the monitoring obligations to the originators using its platform. Corporates do not.
What is the difference between a fraud monitoring policy and a fraud monitoring program?
A policy is a document that says what your organisation intends to do. A program is the policy plus everything that proves you actually do it: the risk assessment, the operational controls, the escalation procedure, the exception log, and the annual review. Nacha's 2026 rules require a program, not a policy. This is also where most existing ACH compliance fails — Nacha's own data suggests that the majority of organisations have a policy in place but only a minority have documented, tested procedures that meet the standard.
Does the rule require automated monitoring, or is manual review acceptable?
Nacha is technology-neutral. Manual review is permitted in principle. In practice, manual review at any meaningful volume cannot produce the documented, auditable trail the rule requires. Email confirmations and phone callbacks leave no consistent record, and they cannot scale. For low-volume originators with a small vendor base, manual processes can be defensible if rigorously logged. For mid-sized and larger originators, automated account validation is the practical path to compliance — both because the volume is too high for manual checks and because the audit trail is generated automatically.
What if my ACH activity is mostly outbound payroll? Do all five components apply?
Yes. The components apply to any non-consumer originator regardless of payment mix. A payroll-heavy originator may have a smaller risk assessment — fewer flows to map, simpler control set — but the structure is identical. Payroll redirection fraud is one of the four False Pretenses attack patterns Nacha specifically names, so a payroll-only originator should expect their controls around direct deposit changes to be examined closely.
What is the minimum viable program for a small business?
For a small non-consumer originator, the minimum is: a one-page risk assessment naming the payment flows and the False Pretenses risks; a documented control set including out-of-band callback on bank changes and account validation on every new vendor; a written escalation procedure with a named reviewer; an exception log; and a dated annual review. The program does not need to be sophisticated to be compliant. It needs to be specific, documented, and exercised. Many small businesses already do most of this informally — the build is mostly about formalising what is already happening.
How do I demonstrate to examiners that controls were tested, not just documented?
Sampling is the most common method. Pull a random sample of transactions from the past quarter — vendor change requests, new vendor onboarding events, payroll changes — and walk through each one against the documented procedure. Did the callback happen? Was account validation run? Was the exception log updated? The annual review entry should describe what was sampled, the sample size, and the findings. This is also the activity most likely to surface gaps before an examiner does, which is the real value of doing it.
Does the program need to cover ACH payments my organisation receives, or only those we send?
For most non-consumer originators, the rule is focused on the entries you originate as the sender. If you are also an RDFI — a depository financial institution receiving ACH credits — the rule additionally requires you to monitor incoming credits for unauthorized or False Pretenses patterns under separate provisions. Most non-bank originators are not RDFIs and only need to address the origination side. If you are a fintech operating partner banks or sponsoring ACH flows, check with your sponsor bank about which obligations sit with you versus with them.
