- Key insight: New rules force receiving banks, or RDFIs, to move from a traditionally passive role to actively monitoring incoming ACH credits for red flags.
- What's at stake: Originating banks, or ODFIs, must now monitor for "false pretenses," a new term covering common BEC and vendor impersonation scams.
- Supporting data: The phase 1 threshold for receiving institutions applies to about 175 institutions, which represent approximately 70% of the network's received volume.
- Expert quote: If an institution hasn't started implementation, "it may be falling behind," according to Brian Holbrook, director at LSEG Risk Intelligence.
- Forward look: The first phase of the new monitoring requirements is set to go into effect on March 20, 2026, for all ODFIs and high-volume institutions.
Overview bullets generated by AI with editorial review
The National Automated Clearing House Association, or Nacha, is introducing two-phased fraud monitoring rule changes starting in March 2026, reshaping compliance obligations for U.S. banks, credit unions and other ACH network participants.
These rules directly target the rise of sophisticated authorized push payment, or APP, fraud and business email compromise, or BEC, scams, which often trick legitimate account holders into authorizing fraudulent payments. The updates aim to bolster fraud detection and recovery efforts across the entire transaction lifecycle.
The new requirements are staggered based on transaction volumes from 2023 to give certain smaller institutions more time to prepare.
During phase 1, which goes into effect on March 20, the following ACH network participants must comply with the new rules: all originating depository financial institutions, or ODFIs; originating participants (including third parties) with 6 million or more ACH transfer originations; and receiving depository financial institutions, or RDFIs, with 10 million or more receipts.
For financial institutions, Nacha said that the volume threshold for RDFIs applies to about 175 institutions. These institutions represent approximately 70% of the network's received volume.
New fraud monitoring mandates for ODFIs and RDFIs
The core requirement of the rule is that all affected parties must establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud. These procedures must be reviewed and updated at least annually to address constantly evolving fraud risks.
Critically, Nacha specifies that concluding that no monitoring is necessary at all is not acceptable. However, institutions are not required to screen every ACH entry individually, nor must they perform monitoring prior to processing transactions.
What originating banks need to do
The rules mandate that ODFIs (and originating third parties) monitor for payments that are unauthorized or authorized under false pretenses.
The term "false pretenses" here is key. It is newly defined and explicitly covers common fraud scenarios such as business email compromise, vendor or payroll impersonation, and misrepresenting identity or authority to act on behalf of another person.
These fraud scenarios fall under the broader category of authorized push payments, also known as APP fraud.
ODFIs must refine existing monitoring processes for suspicious ACH credit and debit entries. If monitoring identifies suspect activity, potential actions include stopping further processing, consulting with the originator, or contacting the RDFI to request a fund return or freeze.
Nacha has been clear that these new rules do not modify or supersede the ODFI's existing warranty of ACH entries, nor do they change the allocation of liability for fraud or scams under federal law.
ODFIs must ensure their customers, including originators and third-party senders, comply with the fraud monitoring rule.
What receiving banks need to do
RDFIs are moving from a traditionally passive role to taking on an additional role in monitoring incoming ACH credits to fight credit push fraud. RDFIs possess a unique view of incoming transactions, account profiles and history.
The risk-based approach for RDFIs should involve monitoring for specific red flags, such as transactional velocity anomalies; high-dollar transactions that are atypical for the receiving account; and activity involving new, dormant or potential mule accounts, per the new Nacha rules.
Other potential red flags include multiple, similar credit entries received in a short period, such as multiple payroll payments; and so-called standard entry class, or SEC, code mismatches. These mismatches occur when the indicated type of a transaction and the parties involved do not align with the type of account to which the funds are being sent.
The primary mismatch example Nacha has highlighted involves corporate codes being used for consumer accounts. If an RDFI detects that an ACH entry is coded as being between two corporate entities, but the receiver is a consumer account, that would be a suspicious transaction.
Nacha is also encouraging RDFIs to collaborate with ODFIs on risk and recovery strategies. Communication for researching potential fraud or requesting returns should use the ACH contact registry, which includes required contacts for both ACH operations and fraud and risk areas.
The time to act is now
Vendors that provide risk and financial crime monitoring services to banks and credit unions have emphasized that financial institutions must quickly move beyond minimal compliance and embrace advanced fraud protection strategies.
The rule changes reflect the urgent need for financial institutions to adopt more proactive and holistic fraud prevention strategies, according to Colin Parsons, vice president of product management at financial crime management vendor Nasdaq Verafin. He cautioned that institutions that show ongoing negligence could face fines or reputational damage.
If an institution hasn't started implementation, depending on its size, it "may be falling behind," according to Brian Holbrook, director of product strategy and integrated services at corporate risk advisor LSEG Risk Intelligence.
The rule is a strategic shift, formalizing fraud monitoring duties for parties beyond the bank, according to Trevor Lain, founder and CEO of compliance vendor LexAlign. However, he emphasized that for banks, especially ODFIs, the new rule does not shift liability away; financial institutions must still ensure their customers comply.
