National Automated Clearing House Association (Nacha) announced several updates to Automated Clearing House (ACH) Rules, many of which go into effect in 2026. These rules represent the most significant changes in nearly two decades and are aimed at strengthening fraud prevention, improving regulatory compliance, and enhancing network transparency. Below, Pinion advisors break down the fraud-specific changes and how to prepare.

March 20, 2026 – Fraud Monitoring Phase 1

Phase 1 introduces requirements for fraud monitoring by Originators, Third-Party Service Providers, Third-Party Senders, and Originating Depository Financial Institutions (ODFIs).

  • ODFIs and non-consumer Originators, Third-Party Service Providers, and Third-Party Senders with annual ACH origination volume of 6 million or more in 2023 must implement risk-based processes to identify fraudulent ACH entries.
  • Originators must use commercially reasonable fraud detection systems for WEB debits and Micro-Entries.

March 20, 2026 – RDFI ACH Credit Monitoring Phase 1

The rule applies to Receiving Depository Financial Institutions (RDFIs) with annual ACH receipt volume of 10 million or more in 2023. RDFIs must establish and implement risk-based processes and procedures designed to identify credit entries initiated due to fraud.

RDFIs have visibility into incoming transactions, account profiles, and historical activity on Receiver accounts. A risk-based approach to monitoring can consider factors such as:

  • Transaction velocity
  • Anomalies (e.g., SEC Code mismatch with account type)
  • Account characteristics (age of account, average balance)

This approach aligns with existing AML monitoring practices. Based on monitoring, RDFIs may return an entry or contact the ODFI to validate a transaction. ACH transaction monitoring may already be in use due to AML requirements. This amendment encourages communication between compliance, operations, product management, and relationship staff. Solutions can be developed internally or through vendors to assist in monitoring received payment activity.

June 19, 2026 (Effective June 22, 2026) – Phase 2 of Fraud and RDFI ACH Credit Monitoring

Phase 2 expands on the fraud monitoring requirements:

  • Fraud Monitoring: The rule applies to all other non-consumer Originators, Third-Party Service Providers, and Third-Party Senders.
  • RDFI ACH Credit Monitoring: The rule applies to all RDFIs.

How to Prepare

Ex: If your institution has not yet begun assessing readiness or updated its policies and procedures, now is the time. Following are some tips to get started:

  • Review ACH policies and risk assessments and update accordingly
  • When evaluating fraud-monitoring tools, ensure they can accurately identify any suspicious outgoing/incoming ACH activity (pay attention to velocity rules, anomaly detection, and identity-mismatch flags)
  • Document all processes, including rationale, review cycles, thresholds, escalation steps, and resolution
  • Train any team members and departments involved with your ACH activity – for example: operations, compliance, product, and customer service/relationship manager team members
  • Notify commercial originators of changes and their responsibilities as it pertains to Phase 1

Those that act now will reduce risk both to their institution and customers, avoid costly penalties and losses, and improve compliance and transparency.

To learn more about other updates and changes, visit: Nacha Operating Rules – New Rules | Nacha

If you need help navigating these rules, you aren’t sure where to start, or have any other questions, reach out to Pinion’s financial institutions advisory team.