Starting on March 20, 2026, new Nacha risk management rules (“Rules”) go into effect that require originating and receiving entities, as well as service providers, to implement “risk-based processes and procedures” to detect fraudulent ACH entries, expanding a prior rule that regulated a limited subset of transactions. The Rules remove the existing “commercially reasonable” standard for fraud detection and instead state that procedures must be “relevant to the role” of the entity in the ACH transmission process. Although Nacha does not require entities to screen each ACH entry individually or monitor customers pre-processing, risk procedures must, at minimum, assess transactions for risk and allocate resources proportionately to the degree of risk. The Rules highlight ACH transactions entered under false pretenses, such as impersonated vendors and compromised email security, as an area deserving particular attention.
The Rules take effect on March 20, 2026, for all Originating Depository Financial Institutions (ODFIs); Receiving Depository Financial Institutions (RDFIs) that received 10 million or more ACH entries in 2023; and any non-Consumer Originators, Third Party Service Providers (TPSPs), and Third Party Senders (TPSs) with an annual ACH origination volume of 6 million or greater in 2023. The Rules apply to all other RDFIs, non-Consumer Originators, TPSPs, and TPSs on June 19, 2026. An ODFI may consider the fraud-mitigation steps other originating parties are taking when designing its risk program, and all parties must review their own procedures at least annually.
Nacha defines an “Originator” as an entity that initiates an ACH credit or debit transaction, such as an employer initiating a payroll direct deposit. A “Third Party Sender” facilitates the communication between an Originator and an ODFI but is not otherwise related to the financial institution, such as a payroll processing company. To fall under the Rules, a “Third Party Service Provider” must perform functions of ACH processing “on behalf of” a regulated entity. Entities providing ancillary software services to a financial institution, for example, would not be bound. The Nacha Rules are enforced through Nacha’s Rules Compliance program and do not modify the allocation of liability between entities under applicable law.
With the compliance dates approaching, affected entities should begin evaluating whether their existing ACH fraud controls align with the new risk-based standard and are appropriately tailored to their role in the ACH ecosystem.