Contact Us
Close
CBIZ
Contact Us

Insights. Applied. Integrated solutions that turn strategy into action.

Explore Resources
  • Article
April 13, 2026

NACHA’s New ACH Fraud Rules: What Organizations Should Do Now

By David Jones, CISA, CIA, Manager Linkedin
NACHA’s New ACH Fraud Rules: What Organizations Should Do Now
Table of Contents
    Get in Touch

    NACHA’s recent rule changes signal a meaningful shift in how organizations are expected to approach Automated Clearing House (ACH) fraud risk. What was once framed around “commercially reasonable” fraud controls is now moving toward a more defined expectation: covered participants must establish risk-based processes and procedures designed to detect potentially fraudulent ACH activity.

    The update is especially important because it reflects how fraud is evolving. Increasingly, losses stem not only from unauthorized transactions, but also from payments that were technically authorized by a legitimate user who was deceived into sending funds under false pretenses. Business email compromise, vendor impersonation, payroll diversion, and other credit-push fraud schemes are becoming more sophisticated, harder to spot, and more costly to recover from.

    For organizations that originate, transmit, or receive ACH entries, the message is clear: now is the time to review your fraud risk program, close control gaps, and document how your organization will identify and respond to suspicious activity.

    Who Is Affected by the New NACHA Rules?

    The new requirements apply across multiple participants in the ACH network, not just financial institutions.

    Subsection 2.2.4 applies to originating depository financial institutions (ODFIs) as well as all non-consumer originators, third-party service providers (TPSPs), and third-party senders (TPSs). These entities are expected to implement risk-based processes reasonably intended to identify ACH entries initiated by fraud, including those authorized under false pretenses.

    Subsection 3.1.10 applies to receiving depository financial institutions (RDFIs). These institutions must establish risk-based procedures to identify inbound credit entries that may be unauthorized or part of a fraud scheme.

    Importantly, the rules do not require that every ACH entry be screened individually, nor do they require monitoring before processing. Instead, NACHA is emphasizing a layered, risk-based approach appropriate to an organization’s role, transaction activity, and risk profile.

    Why These Rule Changes Matter Now

    Credit push fraud continues to rise as social engineering tactics become more convincing and more scalable. Fraudsters are using increasingly advanced methods to manipulate employees, payment approvers, and operational teams into sending funds to the wrong recipient.

    Generative artificial intelligence is adding to that risk by helping bad actors personalize phishing and business email compromise messages, imitate normal communication styles, and automate multi-step interactions that can wear down existing verification controls. Fraudsters can also create realistic invoices and supporting documents, test detection thresholds, and structure activity to resemble legitimate transactions.

    At the same time, organizations are operating in faster, more distributed payment environments. That combination makes early detection more important than ever. When suspicious activity is discovered too late, the opportunity to stop or recover funds may be significantly reduced.

    What Organizations Should Do Now

    The core requirement under the new rules is to establish and implement risk-based processes and procedures that are reasonably intended to identify entries suspected of being unauthorized or authorized under false pretenses. While the details will vary by organization, there are several practical steps worth prioritizing now.

    Update Your ACH Risk Assessment

    A strong starting point is revisiting your ACH risk assessment with these new expectations in mind.

    That assessment should reflect your role in the ACH network, whether you are an originating depository financial institution, originator, third-party sender, third-party service provider, or receiving depository financial institution. It should also account for the types of transactions you process, such as credits or debits, as well as the channels and business lines involved.

    As part of this process, organizations should define the most relevant fraud scenarios for their role. For some, that may include unauthorized debits tied to invalid authorizations, synthetic identities, or account takeover. For others, the greater concern may be credits sent under false pretenses, such as vendor payment redirection, payroll diversion, mule account activity, or fraud involving newly opened receiving accounts.

    Organizations should also identify where they have the best opportunity to detect suspicious activity. For originating depository financial institutions, originators, third-party senders, and third-party service providers, this may include onboarding and ongoing due diligence, transaction analytics, change-event monitoring, and return-pattern surveillance. For depository financial institutions, receiving depository financial institutions may involve monitoring newly opened accounts for unusual credits, rapid post-transaction fund movement, or anomalous device and access behavior associated with account activity.

    From there, organizations should reassess inherent risk, evaluate the effectiveness of existing controls, and identify gaps. Segmenting risk by transaction type, customer type, industry, channel, and third-party involvement can help make that analysis more meaningful.

    Address Gaps in the Risk and Control Environment

    Once the risk assessment is updated, the next step is to prioritize remediation.

    The most important areas to address are those where fraud risk is highest and where current controls may fall short of NACHA’s expectation that monitoring be reasonably intended to detect suspicious activity.

    For many organizations, that may mean enhancing onboarding due diligence and ongoing monitoring for originators and third parties. It may also mean strengthening controls around payee or account changes, especially where a change event should trigger callback or verification procedures.

    Other common improvement areas include better analytics around transaction velocity, amount, and patterns, as well as greater use of cross-channel indicators such as online banking behavior, device anomalies, and account access patterns. Organizations should also ensure they have clear response playbooks for triage, review, interdiction, and potential recovery efforts.

    Document Your Risk-Based Processes and Procedures

    Written procedures are now a baseline expectation for covered entities.

    Your documentation should clearly explain how suspicious ACH activity will be identified, who is responsible for reviewing and escalating concerns, when monitoring and program reviews occur, and what actions should be taken when potential fraud is identified.

    At a minimum, the documentation should address four areas:

    • How your organization identifies atypical transactions, including the data sources used and the frequency of monitoring.
    • Who is responsible for monitoring, triage, decision-making, escalation, and reporting.
    • When reviews take place, including annual reassessments, threshold tuning, and change management.
    • Escalation steps to follow when activity appears suspicious, including holds, callbacks, interdiction efforts, return procedures, and engagement with law enforcement where appropriate.

    This documentation may also have downstream implications. For example, if you are a non-consumer originator, third-party sender, or third-party service provider, your originating depository financial institution may request these procedures as part of its due diligence.

    Implementation Timeline

    Organizations should confirm both their ACH role and their 2023 ACH activity volumes to determine when compliance applies.

    For Subsection 2.2.4, Phase I became effective on March 20, 2026, for originating depository financial institutions, non-consumer originators, third-party service providers, and third-party senders that originated or transmitted more than 6 million ACH entries in 2023. Phase II becomes effective on June 19, 2026, for all other covered entities.

    For Subsection 3.1.10, Phase I became effective on March 20, 2026, for depository financial institutions that received more than 10 million ACH entries in 2023. Phase II becomes effective on June 19, 2026, for all other receiving depository financial institutions.

    Practical Considerations for Compliance

    These rule changes do not require organizations to monitor every transaction individually or to screen every entry before processing. That is an important distinction.

    Instead, NACHA recognizes that an effective fraud program can use layered controls, batch or near-real-time analytics, targeted reviews, and escalation procedures to identify suspicious activity in a practical, operationally feasible way.

    In many cases, the earliest warning signs will come from change events, new relationships, unusual transaction behavior, and cross-channel anomalies. Organizations that focus monitoring efforts in these areas may be better positioned to identify credit push fraud sooner and improve their chances of stopping or recovering funds.

    Just as important, fraud monitoring should be aligned with recovery pathways. Detecting suspicious activity is only part of the equation. Organizations also need response procedures that support timely interdiction, returns, escalation, and loss mitigation.

    A Practical Starting Point

    For many organizations, the most effective next step is not a complete redesign of the fraud program, but a structured review of what already exists.

    Start by confirming your role in the ACH network and the effective date that applies to your organization. Then update your ACH risk assessment to reflect false pretenses and credit push fraud scenarios, identify detection gaps, strengthen the most important controls, and document the procedures your teams will follow.

    These rule changes reflect a broader reality: ACH fraud risk is becoming more complex, more dynamic, and more operationally demanding. Organizations that act now will be better positioned not only to support compliance but also to reduce fraud exposure and respond more effectively when suspicious activity occurs.

    Contact a Risk Advisory Specialist to learn more about the new fraud changes.

    Frequently Asked Questions

    NACHA’s new Automated Clearing House (ACH) fraud rules require certain ACH participants to implement risk-based processes and procedures designed to identify potentially fraudulent entries, including unauthorized transactions and payments authorized under false pretenses. The rules apply to roles such as originating depository financial institutions (ODFIs), receiving depository financial institutions (RDFIs), non-consumer originators, third-party senders (TPSs), and third-party service providers (TPSPs).

    The new NACHA ACH fraud monitoring requirements apply to originating depository financial institutions (ODFIs), receiving depository financial institutions (RDFIs), non-consumer originators, third-party senders (TPSs), and third-party service providers (TPSPs). Compliance timing depends on the organization’s role and the volume of Automated Clearing House (ACH) entries it originated, transmitted, or received during 2023.

    Organizations can prepare for NACHA false pretenses and ACH fraud compliance by updating their ACH risk assessment, identifying fraud scenarios relevant to their role, strengthening monitoring and verification controls, documenting risk-based fraud procedures, and establishing escalation and response playbooks. A practical compliance approach should also include governance, monitoring cadence, and annual review processes.

    © Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.

    “CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.

    Insights that Impact

    View All Insights
    View All Insights
    The 3 T’s Framework: Guiding Companies Through Change and Growth
    The 3 T’s Framework: Guiding Companies Through Change and Growth

    The 3 Ts Framework helps finance teams handle high-stakes change. Handle these inflection points of a company’s lifecycle with this guide.

    Read More
    Article
    Automating Tip Tracking to Reduce Compliance Headaches
    Automating Tip Tracking to Reduce Compliance Headaches

    Learn how payroll technology automates tip tracking under OBBBA, reduces errors, and ensures compliance with new tax deduction requirements.

    Read More
    Article
    Pay Transparency in the U.S. What Employers Need to Know to Stay Compliant and Competitive
    Pay Transparency in the U.S. What Employers Need to Know to Stay Compliant and Competitive

    Explore how pay transparency laws vary by state, why many adopt national standards, and how to post ranges, manage risks, and earn candidate trust.

    Read More
    White Paper
    March 2026 Recap | On The Margin
    March 2026 Recap | On The Margin

    A broad selloff hit global markets amid Middle East tensions, leaving most major assets negative for the month and YTD. Learn what fueled March madness.

    Read More
    Report
    How to Effectively Utilize Your Financial Expert
    How to Effectively Utilize Your Financial Expert

    Discover how forensic financial experts can help clarify financial issues, strengthen cases, and achieve equitable outcomes in matrimonial cases.

    Read More
    Article
    Creating an Effective Employee Handbook: From Compliance to Culture
    Creating an Effective Employee Handbook: From Compliance to Culture

    Discover employee handbook best practices and learn how to help ensure compliance, communicate culture, and avoid common legal pitfalls.

    Read More
    Article
    Risk Measures: One Size Does Not Fit All Investment Types
    Risk Measures: One Size Does Not Fit All Investment Types

    Explore how CBIZ evaluates investment risk using tailored measures for each asset class, helping investors and plan sponsors make smarter portfolio decisions.

    Read More
    Article
    The New Role of Credit Risk in Deal Value Creation
    The New Role of Credit Risk in Deal Value Creation

    Credit Risk in deal value creation helps preserve value beyond closing. Learn why credit risk has shifted into a necessary tool to support deal value.

    Read More
    Article
    Risk Management in the Age of Innovation
    Risk Management in the Age of Innovation

    Discover how digital transformation reshapes risk, and how middle-market leaders can balance innovation with strong governance and controls.

    Read More
    Article
    Preparing for an Extra Bi-Weekly Payroll Period in 2026
    Preparing for an Extra Bi-Weekly Payroll Period in 2026

    Learn how a rare 27-pay-period year in 2026 affects payroll, salaries, and benefits, and how CBIZ can help you plan ahead and avoid surprises.

    Read More
    Article
    Modernizing Payroll and Benefits for Organizational Growth
    Modernizing Payroll and Benefits for Organizational Growth

    CBIZ Centrally HR enabled a nonprofit to reduce costs, unify payroll and benefits, automate performance reviews, and improve service and communication.

    Read More
    Case Study
    From Frustration to Efficiency: How CBIZ Transformed HR and Payroll
    From Frustration to Efficiency: How CBIZ Transformed HR and Payroll

    See how a 1,000-employee real estate firm unified HR and payroll with CBIZ - one HCM platform, custom reporting, dedicated support, and significant cost savings.

    Read More
    Case Study
    Navigating Conflicts: Fairness Opinions in Private Equity Related-Party Deals
    Navigating Conflicts: Fairness Opinions in Private Equity Related-Party Deals

    Learn what a fairness opinion is, why the process is important and their impact on private equity related-party deals.

    Read More
    Article
    Sustainable Cash Flow in Matrimonial Matters
    Sustainable Cash Flow in Matrimonial Matters

    Learn about the role of cash flow in divorce cases and how accurate cash flow analysis impacts support calculations and future financial planning.

    Read More
    Article
    Why Leadership Continuity Planning Matters for Not-for-Profit Organizations
    Why Leadership Continuity Planning Matters for Not-for-Profit Organizations

    Learn how leadership continuity planning reduces transition risk, builds talent, and protects not-for-profit missions through planned and unexpected changes.

    Read More
    Article

    Let’s Connect

    Our team is here to help. Whether you’re looking for business solutions, financial strategies, or industry insights, we’re ready to collaborate. Fill out the form, and we’ll be in touch soon.

    This field is for validation purposes and should be left unchanged.
    Sign up for additional emails