ACH Rule Update: Expanded Fraud‑Monitoring Requirements

Effective June 19, 2026

Nacha has approved an amendment to the ACH Operating Rules that expands fraud‑monitoring expectations for all ACH originators. Beginning June 19, 2026, businesses that originate ACH transactions are expected to have documented, risk‑based fraud‑monitoring processes in place.

What’s Changing

The amended Nacha rule requires ACH originators to establish and implement fraud‑monitoring processes and procedures that are reasonably designed to identify ACH entries initiated due to fraud.

These requirements apply to all ACH originators, regardless of size or transaction volume.

Important clarifications:

The rule does not require every ACH entry to be individually screened
Fraud monitoring does not need to occur before transactions are processed
Monitoring should be consistent, documented, and risk‑based

Why This Matters

ACH fraud attempts continue to increase across the industry, particularly schemes that rely on deception rather than system compromise. These schemes often involve tricking businesses into sending legitimate payments to fraudulent accounts.

By expanding fraud‑monitoring expectations and clarifying responsibilities, Nacha aims to:

Strengthen fraud prevention at the point where payments are initiated
Reduce the overall incidence of ACH fraud
Improve the ability to recover funds when fraud occurs

When This Takes Effect

June 19, 2026
By this date, ACH originators should have fraud‑monitoring processes and procedures developed, documented, and implemented. After implementation, originators are expected to review their procedures at least annually and update them as needed to address evolving fraud risks.

How to Prepare

As you develop or enhance your fraud‑monitoring practices, consider including:

Documented, risk‑based procedures to identify suspicious ACH activity
Regular reviews (at least annually) to assess effectiveness and make updates
Management review and approval of fraud‑monitoring procedures
Employee training to ensure procedures are consistently followed

The amended rule does not prescribe a specific technology or solution. Controls should be appropriate for your organization’s ACH activity, complexity, and risk profile.

Ongoing Responsibilities After Implementation

Following implementation, ACH originators should perform the following actions at least annually:

Review existing processes and procedures and update them as needed
Ensure current controls are understood and followed consistently
Identify additional measures to mitigate unauthorized transactions and those authorized under false pretenses, including fraud schemes involving:
- Business email compromise (BEC)
- Vendor impersonation
- Payroll impersonation

Download ACH Fraud Monitoring Guidelines

Frequently Asked Questions

Does this rule apply to my business?

If your business originates ACH transactions, such as payroll or vendor payments, this rule applies to you beginning June 19, 2026.

Are we required to review every ACH transaction?

No. Nacha does not require individual screening of every ACH entry. Monitoring should be risk‑based and focused on identifying unusual or suspicious activity.

Does fraud monitoring need to occur before payments are processed?

No. The rule does not require pre‑processing screening. Monitoring may occur before or after processing, as long as it is effective and consistent.

Is a specific fraud‑monitoring tool required?

No. Nacha does not mandate a specific system or vendor. Controls should be reasonable and appropriate for your organization.

How often do procedures need to be reviewed?

Fraud‑monitoring procedures should be reviewed at least annually and updated as needed.

Need Assistance?

Treasury Management Solutions Center
800.279.3200, Option 3
Monday–Friday, 8 a.m.–6 p.m. CT
treasury@alerus.com