In 2026, Nacha (National Automated Clearing House Association), the ACH Network’s governing body, is updating its Operating Rules & Guidelines for ACH payments, as part of a larger Risk Management package designed to reduce push payment fraud (such as romance scams, and business email compromise) and improve fund recovery.
ACH fraud costs consumers billions each year and also disrupts financial institutions (FIs) that can’t keep up with evolving threats. This includes everything from simple unauthorized debits to sophisticated, AI-enhanced attacks such as business email compromise (BEC), authorized push payment (APP) scams, and synthetic identity theft. In combination, ‘pig butchery fraud’ continues to gain traction, where nefarious individuals form trusting relationships with victims online before convincing them to invest in cryptocurrency scams.
Fighting fraud is becoming more expensive, and its true cost is growing. In the US, for example, every $1 of fraud in 2025 costs financial institutions $5.75, up from $4 in 2021.
Understanding the new compliance standard
For FIs, ACH fraud isn’t just costly; it can lead to reputational damage, diminished customer experience, customer churn, and legal and liability risks.
As fraud becomes AI-driven and increasingly complex, the new Nacha rules set out to make the entire industry more secure. They mandate that FIs participating in the ACH network adopt a comprehensive, proactive ACH risk management approach. To that end, both originating depository financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) are now required to move beyond reactive fraud response to proactive identification and prevention.
Although Nacha doesn’t prescribe specific technologies for fraud monitoring, it raises expectations for FIs of all sizes to implement more effective, consistent, and defensible risk-management strategies. The rules stipulate that FIs tailor their monitoring efforts to the specific risks associated with their originators and transaction volumes by detecting anomalies, behavioral changes, or patterns indicative of fraud.
Key Nacha amendment deadlines for FIs
New rules require FIs to establish and implement risk-based processes and procedures to identify fraudulent ACH entries. The rules will be implemented in two phases, with an earlier deadline for higher-volume FIs.
Phase 1: March 20, 2026
- The new rule to establish fraud monitoring will apply to all ODFIs.
- The rule will also apply to non-consumer originators, third-party service providers (TPSPs), and third-party senders (TSPs) with annual ACH origination volume of 6 million or greater in 2023.
- The new rule implementing ACH credit monitoring will apply to RDFIs with an annual ACH receipt volume of 10 million or greater in 2023.
Phase 2: June 19, 2026
- The rule to establish fraud monitoring will apply to all other non-consumer originators, TPSPs, and TPSs.
- The rule to implement ACH credit monitoring will apply to all other RDFIs.
Standardizing fraud detection
A key update to Nacha’s rules introduces mandatory Company Entry Descriptions — PAYROLL and PURCHASE — to support automated screening.
PAYROLL: Originators are required to use this new description for all Preauthorized Payment and Deposit (PPD) credit entries representing salary, wages, or similar compensation.
PURCHASE: This is a new standard description for ecommerce purchases.
Impact on FIs:
- Targeting risk mitigation: The PAYROLL amendment is intended to reduce fraud involving payroll redirections. For example, RDFIs that monitor inbound ACH credits will be able to better identify suspicious activity and payroll redirections by more easily highlighting new or multiple payroll payments to a particular account.
- Reducing false positives: By clearly segmenting transaction types, FIs can easily filter transactions to apply specific fraud-detection rules and refine their fraud models, reducing the number of legitimate transactions flagged as suspicious.
- Enhancing screening: With standardized data labels, FIs can implement automated screening processes to better identify inconsistencies. For example, they can flag a high-value debit labeled “PURCHASE” originating from an account with no history of B2B transactions.
The 10-day mandate
As part of the same overhaul package, Nacha has amended the ACH return process. These changes took effect on April 1, 2025.
According to the new rules, Receiving Depository Financial Institutions (RDFIs) are required to respond to an Originating Depository Financial Institution’s (ODFI’s) Request for Return within 10 banking days of receipt of a return request.
Key implications for RDFIs and ODFIs:
- RDFIs must respond to an ODFI’s information request about a potentially unauthorized transaction within 10 banking days.
- RDFIs must improve internal processes for reviewing customer claims and communicating with the originating institution quickly.
- ODFIs gain a mechanism to receive timely confirmation, helping them resolve a potentially unauthorized transaction for their customers.
- ODFIs can reduce uncertainty and improve resolution processes.
This mandate is intended to expedite the resolution of unauthorized transactions, strengthening the ACH Network’s integrity and improving the customer experience.
Clawing back fraud
By utilizing the expanded “false pretenses” definition and updated R17 return code, Nacha is improving the ability of FIs to return fraudulent transactions, particularly those related to BEC, APP, social engineering, and other novel scams.
The R17 return code now includes unauthorized payments made under “false pretenses.” The “false pretenses” definition clarifies that an entry can still be considered unauthorized if the consumer or business authorized it, but the authorization was obtained through deceit or coercion.
While this new Nacha rule requires FIs to update internal processes and policies, it simplifies and streamlines the recovery of funds lost to fraud. It also creates a more robust framework to manage potentially questionable or suspicious transactions.
Liability and network integrity
The new Nacha operating rules are raising the bar for all FIs to maintain ACH network integrity and prevent fraud. Nacha rules non-compliance can lead to warnings, escalating fines, operational disruption, and reputational damage with financial partners and customers.
To maintain compliance in 2026, FIs must take the following steps:
- Develop and implement risk-based fraud monitoring processes for ACH entries.
- Document fraud monitoring procedures and establish annual reviews.
- Update internal policies to include “false pretenses.”
- Train staff on new fraud detection and monitoring requirements.
- Update ACH templates to include PAYROLL for wage credit entries and PURCHASE for ecommerce debit entries.
By enforcing compliance, proactive monitoring, due diligence, regular reviews, and risk assessment, Nacha aims to create a shared responsibility model in which both sides of the ACH transaction actively contribute to a more secure and reliable payment network.
Get in touch to learn more about how Convera helps financial institutions optimize their global payments strategy.
