Skip to main content
Choose your location
Select the location and the language that you prefer
What can we help you find?
Article | FINEX Observer

Navigating Nacha’s new fraud rules: What financial institutions need to know

By Kate Twombly | November 21, 2025

Nacha’s 2026 rule changes strengthen ACH fraud monitoring, requiring risk-based controls for originators and RDFIs to enhance payment security.
Subscribe

In today’s fast-moving digital universe, the necessity for secure, dependable and efficient financial transactions has never been more important. To deliver optimal customer experiences, financial institutions are expanding across an array of digital channels. While this accessibility benefits customers, it also poses the risk of increased frequency and severity of threats from fraud and social engineering attacks. In response, Nacha (National Automated Clearing House Association) has taken proactive steps to implement improved fraud detection and prevention guidelines, further safeguarding electronic payments in the United States.

What is Nacha?

Nacha governs the ACH (Automated Clearing House) Network, the payment system that drives direct deposits and payments, reaching all U.S. bank and credit union accounts. Nacha’s operating rules outline the roles and responsibilities of financial institutions to ensure payments are processed securely and seamlessly.

Recently, Nacha announced amendments to its fraud management rules, effective as early as March 20, 2026. These adjustments are intended to reduce the success rate of fraud incidents and aim to improve the recovery of funds when fraud does occur.

What is the timeline for these changes? Who will this apply to?

The new fraud monitoring requirements will be implemented in two stages.

Phase 1 (effective March 20, 2026)

Fraud monitoring by originators, TPSPs and ODFIs
  • Requires all original depository financial institutions, non-consumer originators, third-party Service provider (TPSP) and third-party sender (TPS) with 2023 ACH origination volume of six million or greater to implement risk-based processes and procedures to detect ACH entries initiated due to fraud.
    • The updated rules eliminate the use of the “commercially reasonable” language as a standard and replace it with “processes and procedures reasonably intended to identify” fraudulent entries.
    • These enhancements are broader than Nacha’s current requirements, which mainly focus on web debits and micro-entries.
    • Risk-based fraud monitoring practices are expected to be implemented, though it is not required for every transaction to be examined before it is sent. These practices must be examined and reviewed annually to ensure they are up to date with the evolution of fraud activity.
ACH credit monitoring by RDFIs
  • RDFIs with 2023 ACH receipt volume of 10 million or more will be required to develop and implement control procedures to identify fraudulent credit entries.
  • RDFIs should consider factors such as transactional velocity, account characteristics, anomalies and historical account activity.
  • Monitoring is not required pre-posting, and processes must be reviewed annually. While ACH credit transactions are not required to be monitored before they are posted, organizations must still establish and annually review processes to respond to fraudulent activity that may come after posting.
  • These increased measures reinforce the regulatory expectation for financial institutions to uphold robust frameworks to detect suspicious transactions and reduce the frequency of incident success.

Phase 2 (effective June 19, 2026)

  • Expands upon the requirements rolled out March 20, 2026, and adds all other non-consumer originators, TPSP, TPS and remaining RDFIs.
False pretenses – New definition

The new rules introduce a new term, “false pretenses,” which is defined as:

This definition captures many of the prevalent fraud schemes today, such as business email compromise, vendor and payroll impersonation and other instances where there is misrepresentation of a payee. It is intended to complement the existing Nacha rules governing unauthorized credits arising from account takeovers, though it excludes “scams involving fake, non-existent or poor-quality goods or services.”

Impact on financial institutions and benefits of updated rules

These updated rule revisions strengthen the integrity of the ACH Network and better align fraud monitoring practices with today’s evolving threat landscape. By adopting stronger risk-based controls, institutions can more readily identify suspicious transactions, reduce fraud losses and improve response procedures when incidents occur. These enhanced practices make such transactions more secure and dependable, alleviating the extent of fraud activity, including account takeovers and business email compromise — which is ever present in our digital territories.

Beyond compliance, the rules contribute to greater operational resilience. Improved detection frameworks allow institutions to pinpoint irregularities earlier, streamline the investigation process and overall respond more quickly to emerging fraud patterns. These collective measures strengthen the ACH environment and better position financial institutions to safeguard customer funds and other sensitive data.

Rule enforcement and non-compliance

Complying with Nacha rules not only allows for a higher quality of service through the ACH Network but also provides users with greater confidence in the system’s security. To help support this, Nacha utilizes the National System of Fines as its enforcement mechanism to extend warnings and fines to parties that fail to meet the requirements. A financial institution can report a violation to Nacha, and the submission will be thoroughly examined. The alleged violator will have a chance to respond to the claims; however, if the violation is verified, repercussions may apply, such as financial penalties, interrupted operations, suspension, or termination of the service altogether. Remaining informed about rule changes, authenticating and verifying customer accounts and performing regular audits are all effective methods to reduce the risk of violating Nacha guidelines.

Looking ahead

As Phase 1 commences in March 2026 and Phase 2 follows in June 2026, financial institutions have an opportunity to review and reinforce their existing fraud detection and transaction monitoring frameworks in advance of this rollout. Nacha’s latest risk management amendments emphasize the collective responsibility across ACH participants to proactively detect, prevent and respond to fraud activity. Early preparation may not only strengthen compliance readiness but could also minimize exposure to fraud in the more immediate term, thus turning regulatory changes into a strategic advantage — protecting customers, improving risk management and demonstrating initiative in allowing for secure digital payment transfers.

Reference

Risk Management Topics – (Fraud Monitoring Phase 1), Nacha.

Disclaimer

WTW hopes you found the general information provided here informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, WTW offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).

Author

Kate Twombly
Senior Associate – Fidelity & Crime, FINEX
Email
Related content tags, list of linksArticleFINEX ObserverFinancial, Professional and Executive RisksFinancial InstitutionsBanking

Related capabilities

Financial, Professional and Executive Risks
Financial Institutions
Contact us