Nacha 2026 ACH Fraud Rules: What “Risk-Based Monitoring” Actually Means
Nacha's 2026 risk management amendments are the biggest change to ACH operating rules in years. They apply to every non-consumer business that originates ACH payments — not just banks. Phase 1 is already live (March 20). Phase 2 deadline is June 22, 2026.
This guide explains exactly what changed, who is in scope, what "risk-based processes" actually means in practice, and what you need to have documented before June 22.
The ACH Network is the backbone of US electronic payments. Payroll, vendor payments, supplier disbursements, marketplace payouts, insurance claims — they all run on it. And for years, the fraud monitoring rules governing it were narrow, vague, and easy to satisfy on paper without changing anything in practice.
The old rule required Originators to use a "commercially reasonable fraudulent transaction detection system" — but only for a small subset of transactions: WEB debits (e-commerce) and micro-entries. Credit payments — the kind used for payroll, vendor payments, and B2B disbursements — had almost no active monitoring requirement.
That's exactly what fraudsters exploited. Business email compromise, vendor impersonation, and payroll redirection all work by targeting credit-push flows — payments that look authorized because the victim was tricked into approving them.
The core shift: Nacha has replaced the vague "commercially reasonable" standard with a requirement for documented, risk-based processes and procedures that cover all ACH entries — debits and credits — across all payment types. And the requirement now applies to every non-consumer business that originates ACH, not just banks.
| Before 2026 — the old rule | From 2026 — what's required now | Impact |
|---|---|---|
| "Commercially reasonable fraudulent transaction detection system" | Documented, risk-based processes and procedures — specific to your payment types | Vague standard replaced with auditable documentation requirement |
| Applied only to WEB debits (e-commerce) and micro-entries | Applies to all ACH entries — debits and credits | Payroll, vendor payments, and B2B disbursements now in scope |
| Only banks and large financial institutions were primary targets | Every non-consumer Originator, TPSP, TPS, and RDFI — regardless of size | Any business that sends ACH payments is now in scope |
| No requirement to monitor for authorized-but-deceptive payments | "False Pretenses" is now a defined fraud category you must monitor for | BEC, vendor impersonation, and payroll redirection are explicitly covered |
| No annual review requirement | Processes must be reviewed and updated at least annually — with documentation | Dated review log required; a policy with no revision history will not satisfy examiners |
This is not a paperwork exercise. Nacha and bank examiners will treat weak or absent fraud programs as a direct rules violation — with fines, corrective action, and potential suspension of ACH origination privileges for persistent non-compliance.
The rules roll out in two phases based on transaction volume. Phase 1 is already in effect. Phase 2 applies to everyone else — and the practical deadline is Monday, June 22, 2026, not June 19 (Nacha has confirmed June 19 is a federal holiday).
- All ODFIs (Originating Depository Financial Institutions)
- Non-consumer Originators with ≥6M ACH entries in 2023
- TPSPs and TPSs with ≥6M ACH origination volume in 2023
- RDFIs with ≥10M ACH receipt volume in 2023 (credit monitoring)
- New PAYROLL and PURCHASE entry descriptions required
- All remaining non-consumer Originators (regardless of volume)
- All remaining TPSPs and TPSs
- All remaining RDFIs (ACH credit monitoring)
- No volume threshold — if you originate any ACH, you're in scope
- Same documentation, annual review, and monitoring requirements
June 19 is a federal holiday. Nacha has officially confirmed the practical compliance date for Phase 2 is Monday, June 22, 2026. Several published guides still cite June 19 — this is incorrect.
The rules apply far more broadly than most compliance guides suggest. They are not limited to US banks. They apply to any non-consumer entity that originates ACH payments — regardless of where they are headquartered.
- All ODFIs (Phase 1)
- All RDFIs (Phase 1 if large; Phase 2 if smaller)
- Enhanced monitoring obligations for both sending and receiving sides
- Any company that sends payroll via ACH
- Any AP team originating vendor/supplier payments
- Marketplaces, fintechs, lenders, SaaS platforms with payouts
- Nonprofits and government agencies sending ACH
- Payroll processors submitting on behalf of businesses
- Payment processors and AP automation platforms
- Accounting firms submitting ACH files
- Any intermediary handling ACH origination
This is the most overlooked category in all existing Nacha content. If your company is headquartered outside the United States — in the UK, EU, Canada, or anywhere else — but you send ACH payments to US vendors, contractors, or employees, you are an Originator under Nacha's rules.
Payments involving a financial institution outside the US are processed as IAT (International ACH Transaction) entries, which carry additional data element requirements and are subject to OFAC screening. The broader fraud monitoring requirements still apply to the originating entity. Nacha has also confirmed that IAT contacts must be registered in the ACH Contact Registry by January 1, 2027 — a deadline that specifically affects non-US originators.
If you are a European, UK, or other non-US company with US suppliers or staff paid via ACH: you need account ownership verification and fraud monitoring in place before June 22. Verifying US EINs and bank account ownership at point of onboarding is the specific control Nacha's fraud rules are designed to mandate. MonitorPay's EIN verification and account ownership API cover this directly.
This is the most significant legal concept introduced by the 2026 rules — and the most misunderstood. Every guide defines it. Almost none translate it into the fraud attacks that actually happen to AP teams and finance departments every day.
The critical distinction: the payment was authorized. The customer or employee genuinely clicked "approve." But they were deceived into doing so. Under previous rules, these payments were almost impossible to catch because traditional fraud systems looked for unauthorized transactions. Nacha is now explicitly requiring organizations to monitor for authorized-but-deceptive payments too.
Here are the four attack types that trigger "False Pretenses" — and what your monitoring must now catch:
Why this matters for compliance: Each of these attacks produces an ACH credit that is "technically authorized." Under the old rules, none of them were explicitly in scope. Under the 2026 rules, your monitoring processes must be designed to catch all four — and you must document how.
This is the question every compliance and finance team is asking — and the answer every existing guide avoids. "Risk-based" sounds flexible. It is. But "flexible" does not mean optional, and it does not mean a policy document that has never been tested.
Nacha's own research found that 58% of organizations say they have a fraud monitoring policy — but only 15% have documented, reviewed, and tested procedures that actually meet the compliance bar. A policy document alone will not satisfy an examiner.
Nacha does not prescribe specific tools or thresholds. You have genuine flexibility in how you implement controls — but those controls must be appropriate to your risk profile, documented, and reviewed annually. Here is what "risk-based" specifically requires:
- 1 A written risk assessment — identifying where ACH fraud risk is most likely to arise in your specific payment flows. Not a generic template. Specific to your payment types: payroll, vendor payments, disbursements, marketplace payouts. Which payment types are highest risk? Where do bank detail changes come from? What approval process exists?
- 2 Monitoring and exception-handling steps aligned to your volume and payment types. What triggers a manual review? Who reviews it? What happens when a bank account detail changes? How are new vendor accounts validated before first payment? These steps must be written, not assumed.
- 3 A defined response process — named owners, escalation path, when processing is paused, and how your ODFI is contacted if a suspicious entry is identified. "Someone in finance deals with it" is not a compliant response process.
- 4 Annual review and update — your procedures must be reviewed at least once per year, updated to reflect new fraud tactics, and the review must be dated and documented. Examiners will ask for the review log, not just the current policy.
An auditor reviewing your Nacha compliance will want to see: a dated document showing who reviewed the procedures, what changed since the prior review, evidence that your monitoring was tested, and a named responsible owner. A policy that has no date, no author, and no revision history will not pass scrutiny.
"Appropriate to risk" does not mean "no monitoring." Nacha's rules explicitly state that even for lower-risk use cases, some level of monitoring is required. Regional Banks have confirmed: "Failure to have some type of risk-based monitoring in place is considered unacceptable." The bar is not high — but it is not zero.
Two new standardized entry descriptions became mandatory on March 20, 2026. These apply to the Company Entry Description field in ACH batch headers and are designed to help financial institutions apply targeted fraud monitoring to specific payment types.
| Description | Required for | SEC code | Applies to vendor payments? | Effective |
|---|---|---|---|---|
| PAYROLL | All PPD credit entries for wages, salaries, and similar compensation | PPD | No | March 20, 2026 |
| PURCHASE | E-commerce consumer debit transactions (online purchase of goods) | WEB | No | March 20, 2026 |
Widely misunderstood: These new entry descriptions do not apply to standard B2B vendor or supplier payments. If you process CCD (Corporate Credit or Debit) entries for vendor payments, no new description code is required under these rules. ODFIs and RDFIs are also under no obligation to verify that the descriptions are being used correctly — enforcement is on the Originator.
This is the most underreported requirement in all existing Nacha 2026 content. The fraud monitoring rules are, at their core, a mandate to verify that bank account information comes from a trusted, independent source — not from an email, a phone call, or a vendor's own submission.
Nacha's guidance is explicit: organizations must confirm bank account information using validated data sources instead of relying on unverified communications. The reason is direct — the False Pretenses attacks described earlier all succeed because organizations trust account details without verifying that the account belongs to the entity claiming to own it.
| Method | How it works | Speed | Confirms ownership? | Catches False Pretenses? | Nacha compliant? |
|---|---|---|---|---|---|
| Micro-deposits | Small test deposits sent; account holder confirms exact amounts | 1–3 days | Partial | No | Weak — no name match |
| Pre-notifications | Zero-dollar entry sent 3 banking days before first live payment | 3 days | No | No | Weak — confirms format only |
| Real-time account ownership API ★ | Live verification that account exists, is active, and is owned by the named entity — using independent banking data | Instant | Yes | Yes | Strong — satisfies False Pretenses requirement |
Micro-deposits and pre-notifications confirm that an account exists and is formatted correctly. They do not verify that the account belongs to the vendor or employee named in your records. That distinction is precisely what the False Pretenses requirement is designed to close.
Real-time account ownership verification — checking that account number + routing + entity name match against independent banking data — is the only method that directly satisfies both the account validation requirement and the False Pretenses monitoring requirement simultaneously. It also produces an auditable record of every check, which is what Nacha's annual review requirement demands.
MonitorPay's Account Ownership Verification confirms account existence, active status, and owner identity in real time — covering US accounts and 190+ countries globally. For US vendor payments specifically, EIN verification adds entity-level confirmation that the business is who they claim to be. Both can be called inline at point of vendor onboarding or bank detail change — the two highest-risk moments in any AP workflow.
Nacha enforces its rules through a structured escalation system. Most violations are resolved without fines when corrected promptly. But for the 2026 fraud monitoring rules specifically, regulators and bank examiners have made clear that "no monitoring in place" is not a correctable minor infraction — it is a direct rules violation that will trigger formal proceedings.
| Violation level | Fine range | When it applies | Additional consequences |
|---|---|---|---|
| Warning | $0 | First infraction, corrected promptly | Formal notice on record |
| Class 1 | Up to $1,000 → $2,500 → $5,000 | Unresolved within 1 year, or recurring violation | Escalates with each recurrence |
| Class 2 | Escalated above Class 1 | Repeated Class 1 violations | Closer ODFI scrutiny; bank may restrict ACH access |
| Class 3 | Up to $500,000 per month | Persistent, systemic, or severe non-compliance | Suspension of ACH origination privileges |
The financial penalties are only part of the exposure. The more immediate risk for most businesses is operational: if your ODFI determines your fraud controls are inadequate, they can restrict or suspend your ACH origination access. For any business that runs payroll or vendor payments via ACH, that is an existential operational problem — not a compliance fine.
Bank examiners are also being directed to treat weak ACH fraud programs as evidence of broader deficiencies in operational risk, consumer protection, and governance. That creates a secondary regulatory exposure beyond Nacha itself — particularly for fintechs and financial institutions operating under FRB, OCC, or FDIC supervision.
The steps differ depending on your role in the ACH transaction. Below is a practical action plan for each type of organization. If Phase 1 already applied to you (March 20), treat this as a gap review. If Phase 2 applies, June 22 is your hard deadline.
| Priority | Action | Why it matters |
|---|---|---|
| 1 | Map all ACH payment flows — payroll, vendor, disbursements, refunds | You cannot risk-assess what you haven't mapped |
| 2 | Identify all bank detail change triggers — email, portal, HR system, phone | Bank detail change fraud is the #1 False Pretenses vector |
| 3 | Implement real-time account ownership verification at point of onboarding and on any change | Satisfies the core Nacha monitoring requirement with an auditable record |
| 4 | Write the risk assessment document — specific to your payment types | Examiners will ask for this first |
| 5 | Define the response process — named owners, escalation path, ODFI contact | Required by rule; cannot be informal |
| 6 | Schedule the annual review and record the date and reviewer | Annual review is a rule requirement, not a suggestion |
Your exposure is higher than a standard corporate AP team because you originate ACH on behalf of others, which makes you a TPSP or TPS. Your compliance documentation must cover your own monitoring and also demonstrate that you have frameworks in place for the originators using your platform. Nacha holds TPSPs responsible for the risk management quality of their origination programs.
Key requirements: automated account validation at point of seller/vendor onboarding, anomaly detection for velocity spikes or account changes, documented escalation procedures, and annual review. If you're a marketplace or gig platform with 1,000+ vendors, manual verification is not viable — a real-time account ownership API is the only scalable path to compliance.
Your payments travel as IAT entries and are subject to additional OFAC screening requirements. For fraud monitoring compliance, you need the same documented risk-based processes as any US originator — but you also need to ensure your account validation covers US routing number + account number + entity name matching. Verifying a US EIN alongside bank account ownership is the dual-layer control that directly satisfies what Nacha's False Pretenses rules require from international originators.
Remember: January 1, 2027 is the separate Nacha deadline for IAT Contact Registry registration — a requirement that specifically affects non-US originators. Start that process now alongside your fraud monitoring build.
Yes. The 2026 fraud monitoring rules explicitly apply to all non-consumer Originators — any business initiating ACH payments. This includes corporate AP teams, payroll departments, fintechs, marketplaces, SaaS platforms with payouts, and third-party processors. The rules are not limited to banks or financial institutions. If you send payroll or vendor payments via ACH, you are in scope.
An unauthorized payment is one where the account holder never approved the transaction at all — the classic fraud scenario. A False Pretenses payment is one where the account holder did authorize it, but only because they were deceived: they thought they were paying the right vendor, but the bank details had been swapped by a fraudster.
False Pretenses fraud is harder to detect because the authorization is genuine. The deception happened earlier — when the fraudulent account was submitted as legitimate. This is why the 2026 rules require organizations to verify account ownership at the point of onboarding or bank detail change, not just at the point of payment.
Yes, if you originate ACH payments into the US. Payments involving a non-US financial institution are processed as IAT (International ACH Transaction) entries, which carry additional data requirements and OFAC screening obligations. The fraud monitoring rules still apply to you as the Originator.
Additionally, Nacha has a separate rule requiring IAT contact registration in the ACH Contact Registry by January 1, 2027 — a deadline that specifically targets non-US originators. If you're paying US vendors or staff via ACH, you need documented risk-based fraud monitoring in place and EIN verification at point of onboarding.
The requirements are identical — documented, risk-based fraud monitoring processes reviewed annually. The only difference is who they apply to and when. Phase 1 (March 20, 2026) covered all ODFIs and large-volume participants: Originators with ≥6M ACH entries in 2023, TPSPs/TPSs at the same threshold, and RDFIs with ≥10M receipt volume. Phase 2 (June 22, 2026) eliminates the volume threshold entirely — all remaining non-consumer Originators, TPSPs, TPSs, and RDFIs must comply, regardless of how many ACH transactions they process.
No. Nacha does not mandate any specific tool, platform, or vendor. The rules require controls that are "risk-based, documented, and effective in detecting fraud" — but you have flexibility in how you implement them. That said, Nacha's guidance makes clear that manual verification processes — email confirmations, phone callbacks, spreadsheet tracking — are insufficient for demonstrating compliance, particularly for organizations with high ACH volumes or complex vendor bases. Automated, real-time account validation is the standard the industry is moving to.
No. Nacha explicitly states that the rules "do not require the screening of every ACH transaction individually" and that screening does not need to happen in advance of each entry's processing. "Risk-based" means you apply more scrutiny to higher-risk payment events — first-time vendor onboarding, bank detail changes, new employee payroll accounts, unusually large or timed transactions — and lighter controls to routine, established, low-risk payment flows. The key is that your approach is documented, applied consistently, and reviewed annually.
Effective March 20, 2026, Originators must include "PAYROLL" in the Company Entry Description field for all PPD credit entries that pay wages, salaries, or similar compensation. "PURCHASE" must be included for WEB debit entries representing e-commerce consumer purchases. These standardized labels help financial institutions apply targeted fraud monitoring to specific transaction types.
Important: these requirements do not apply to standard B2B vendor or supplier payments processed as CCD entries. They also do not apply to all WEB debits — only those representing e-commerce consumer purchases. ODFIs and RDFIs have no obligation to verify that the descriptions are being used correctly.
Nacha enforces rules through a structured system of warnings, fines, and in severe cases, suspension of ACH origination privileges. Fines escalate from $1,000 for unresolved Class 1 violations up to $500,000 per month for persistent Class 3 violations. Most first violations result in a warning if corrected promptly. However, Nacha and bank examiners have stated that having no monitoring in place at all is "unacceptable" and will trigger formal proceedings rather than an informal warning.
The more immediate risk for most businesses is their relationship with their ODFI. If your bank determines your fraud monitoring is inadequate, they can restrict your ACH origination access — which directly disrupts payroll and vendor payment operations.
False Pretenses fraud succeeds when an organization accepts bank account details without independently verifying who owns the account. Account ownership verification closes that gap: before sending a payment, you confirm via an independent banking data source that the account number, routing number, and entity name all match — and that the account is active. If a fraudster has submitted fake account details, this check catches it before the payment leaves.
This also produces an auditable record — timestamp, result, matched entity — which is exactly what Nacha's annual review requirement asks you to demonstrate: that your monitoring processes are documented and evidence-based, not trust-based.
At minimum, annually. Nacha requires that your risk-based processes and procedures be reviewed and updated at least once per year to address evolving fraud risks and any changes to your payment flows or business model. The review must be documented — dated, authored, and retained. If your ODFI or a bank examiner asks for evidence of compliance, an undated policy with no revision history will not satisfy the requirement. Build the annual review into your compliance calendar now, and record every review going forward.
