Faster Payments Doesn’t Have to Mean Faster Fraud

In 2026, Nacha, the organization overseeing the ACH network in the US, is implementing new mandatory fraud monitoring requirements designed to address the threat of authorized/unauthorized credit-push payments fraud.  These requirements are the culmination of the lessons learned during the COVID-era of widespread government disbursement fraud and other scams, such as:

• Business email compromise (BEC)
• Account takeovers
• Vendor/payroll impersonations
• Romance and investment scams
  The rule requires businesses transmitting ACH entries and financial institutions sending and receiving ACH entries to ensure they have risk-based processes designed to identify suspected fraud.

The rule does not require these organizations to screen all individual ACH entries they send or receive, but to ensure they are employing a risk-based approach to fraud monitoring.  The intention is to give organizations the flexibility to customize their monitoring processes to the level of risk posed by the various types of ACH entries they process.  However, the rule makes it clear that organizations cannot conclude that no monitoring is necessary.  In other words, they cannot sit idly and do nothing.

Nacha’s new fraud monitoring rules require:

• All ODFIs, non-Consumer Originators, Third-Party Service Providers, and Third-Party Senders to “establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud.”
• All Receiving Depository Financial Institutions (RDFIs) to “establish and implement risk-based processes and procedures designed to identify credit entries initiated due to fraud.”

Effective Dates 

• Phase 1: March 20, 2026, for all ODFIs, non-consumer originators, TPSPs, and TPSs with annual ACH origination volume of 6 million or greater in 2023 and RDFIs with ACH receipt volume of 10 million or greater in 2023.
• Phase 2: June 19, 2026, for all ODFIs, RDFIs, and non-consumer originators, TPSPs, and TPSs that did not fall under the requirement threshold for Phase 1.

A Guide for Financial Services Organizations

Nacha’s explicit name, calling this “risk-based,” means that it lacks prescriptive recommendations, allowing each participant to customize the polices and procedures it feels are sufficient to comply with this rule based on the organization’s size, complexity, and risk appetite. It’s likely that your organization already has fraud prevention policies and procedures in place today.  Your goal should be to document these controls, evaluate their effectiveness, and look for solutions to bridge any identified gaps. Additionally, here are some steps you could implement to prepare and be compliant:

1 – Conduct a Risk Assessment

• What is your organization doing today to identify potentially fraudulent entries that are sent and received?
• What transaction types is your organization processing, and where are the biggest fraud risks?  Are these controls proactive or reactive?
• What evidence is your organization utilizing to assess the adequacy of these controls in relation to the risk appetite of your customers or organization?
• If your controls are inadequate today, what options are available to ensure compliance?

2 – Implement or Upgrade Fraud Monitoring Tools

Some risk-based approaches can monitor for:

• Changes in user behavior across every step in the digital journey – taking into account anomalies in device, location, identity and behavioral biometrics data
• Unusual transaction amounts or frequencies, especially to new beneficiaries/receivers, new or dormant accounts, or accounts that are suspected of being potential money mules
• Changes to sending customer contact information
• Beneficiary/receiver intelligence: is this a new or trusted beneficiary, is this beneficiary associated with other high-risk indicators, age of account etc.
• Ensure that senders are utilizing the proper SEC Code for the receiver account type and method of authorization used

The rule does not explicitly require receiving institutions to monitor every ACH entry it receives.  For many institutions, that would be an overwhelming task.  Receivers can utilize a risk-based approach to isolate high-risk entries such as:
Entries that use an SEC code that does not correspond with the Receiver’s account type (i.e., consumer vs. non-consumer account).
Out-of the ordinary large dollar entries
Utilization of the standardized Company Entry Descriptions of “PAYROLL” and “PAYMENT” to help determine fraudulent activity
The receiving FI could then employ name matching of the entry to the receiver’s account name to flagged/suspicious entries as an additional factor in determining fraudulent activity.

3 – Define Response Procedures

• Create a clear workflow for investigating suspicious activity.
• Define escalation paths and response timeframes.
• Ensure cross-team communication (security, fraud, digital operations, and legal).

4 – Train and Educate Staff

• Educate teams on red flags, fraud typologies, and the institution’s response plan.
• Run periodic training updates.

5 – Test and Audit Regularly

• Simulate fraud attempts or anomalies (e.g., red team exercises).
• Regularly audit your monitoring systems and update rules/thresholds as new threats emerge.

Wespay Advisors Can Help Ensure You’re Ready

Wespay Advisors can be your partner in preparing for compliance with this new rule.  Whether you’re designing a fraud monitoring program from scratch or are looking for expert feedback to evaluate your current controls, Wespay Advisors can:

• Analyze your organization’s current fraud and risk deterrent strategies, tools, and processes against current industry sound practices and requirements
• Provide recommendations on how to bridge any identified processing gaps based on your organization’s capabilities, complexity, and risk appetite
• Assist with vendor and product feature analysis and recommendations

Wespay Advisors’ team is eager to partner with you to help ensure you and your account holders are ready for this new rule.

Want to find out more? View our ACH Fraud Rule page, or pick up the phone or email:

John Curtis, AAP, APRP, NCP
SVP, Business Consulting Leader
415-373-1190
[email protected]