The ACH network is the backbone of electronic payments in the US, processing trillions of dollars in business-to-business (B2B), payroll, vendor, and supplier payments each year.
Nacha, the ACH’s governing body, is updating its Operating Rules to assign clearer fraud-prevention responsibilities to businesses, especially scams disguised as legitimate credit transfers.
What is Nacha, and why Nacha Operating Rules apply to every business
Nacha runs the Automated Clearing House (ACH) network, the payment system for electronic money transfers among banks, payment processors, and credit unions. Businesses and consumers use the ACH network for all kinds of money transfers in the US, including direct deposit, bill payments, and B2B transactions. In 2025, the ACH network handled 35.2 billion payments, valued at $93 trillion.
Every business that sends or receives ACH payments must follow the Nacha Operating Rules. Nacha compliance ensures that sensitive data is protected, fraud is prevented, and every payment is reliable and transparent.
New ACH rules: Key deadlines
- March 20, 2026: New rules come into effect for ACH senders whose 2023 origination or transmission volume exceeded 6 million entries
- June 19, 2026: New rules come into effect for all other non-consumer users that send ACH transactions
The shift to “credit-push” fraud: Why Nacha is updating the rules now
Historically, ACH fraud controls centered on unauthorized debits, in which funds are withdrawn from an account without proper authorization. However, fraudsters increasingly rely on “credit-push” scams, in which they trick someone into initiating a payment that appears authorized but is actually fraudulent.
Some examples include:
- Imposters posing as vendors or company executives
- Attempts to redirect payroll transactions
- Business email compromise (BEC) tactics
To address these issues, Nacha designed a coordinated set of rules targeting detection and recovery. The rules are intended to help businesses spot suspicious payments and improve outcomes if fraud does occur.
The risk-based monitoring mandate: What your business must implement by June 2026
At the heart of the new rules is a requirement that all corporate ACH originators implement risk-based processes and procedures to identify and mitigate potential fraud. Any business, corporation, nonprofit, or third party that sends ACH transfers must meet the requirements from payroll processors to accounting teams, payment vendors, and more.
Nacha expects businesses to implement the following controls:
- Documented steps to review and validate requests to change payment instructions.
- Controls to spot invoices or payments that are abnormal.
- Procedures for detecting, preventing, and recovering from fraud attempts.
- Planning strategies that involve accounting, legal, compliance, and fraud teams.
Above all, the rules prioritize thorough documentation. Despite these requirements, businesses retain flexibility in how they implement controls, depending on their size and industry. New labeling requirements: Using PAYROLL and PURCHASE
New labeling requirements: Using PAYROLL and PURCHASE descriptions to speed up verification
Another key change in Nacha’s operating rules is the addition of two standardized Company Entity Descriptions. These are PAYROLL, used to describe payroll and wage credits, and PURCHASE, which includes e-commerce purchases.
These labels provide businesses and banks with clearer signals about the nature of a payment, in turn making it easier to spot anomalies, align internal monitoring with a bank’s fraud systems, and reduce false positives when analyzing suspicious activity.
Defining “false pretenses”: How the rules specifically address social engineering and BEC scams
The updated rules introduce the concept of false pretenses: a payment is based on a misrepresentation of identity or ownership of the account being credited. This is designed to reflect real-world instances of fraud and BEC, such as:
- Payroll diversion fraud, in which there is a fraudulent attempt to change direct deposit information and trick payroll teams.
- Vendor impersonation.
- Schemes where someone poses as a CEO, CFO, or other executive over email.
Although these payments may technically be “authorized,” the new rules make it clear that risk-based monitoring and response protocols should flag this scenario for fraud risk.
What to do if you’re a victim: The new 10-day bank communication window
As Nacha outlined in a recent webinar, businesses are now active participants in fraud prevention. One rule change that highlights this involves how originating banks (ODFI) can request a return (R06) and how receiving banks (RDFI) must respond.
Under the expanded rules, ODFIs may request that a receiving bank return a credit entry they suspect of fraud. However, RDFIs are not required to return the entry; instead, they must respond to the request within 10 days with a decision or status update.
This stipulation aims to speed up communication between institutions to help protect against ACH fraud. When businesses quickly alert banks with clear evidence, such as transaction details and audit logs, they improve the likelihood of recovery and mitigate downstream losses.
To successfully meet the 10-day bank communication window, businesses should:
- Clarify their internal fraud escalation processes.
- Integrate ACH-based risk monitoring into enterprise risk management.
- Document all fraud investigations and communication with banks.
As Nacha’s new fraud compliance expectations take hold, businesses should take on a cross-functional, proactive approach that bridges accounting, compliance, fraud, legal, and cybersecurity teams to formalize ACH fraud prevention plans.
