Nacha's new risk management Operating Rules took effect on March 20, 2026. The rules require all originating depository financial institutions to establish risk-based processes to identify ACH entries initiated through fraud, regardless of institution size. Non-consumer originators, third-party service providers, and third-party senders with 2023 annual ACH origination volume of 6 million or more entries must also implement monitoring.
Phase 1 requires receiving depository financial institutions processing 10 million or more entries annually to identify inbound credit entries initiated through fraud. This is the first time the Nacha Operating Rules impose a formal fraud monitoring obligation on RDFIs. The change addresses the rise of credit-push fraud, where stolen credentials are used to originate outbound payments that arrive as credits at receiving banks.
Phase 2, effective June 2026, removes volume thresholds and extends fraud monitoring requirements to all ACH Network participants. Separately, standardized Company Entry Descriptions also took effect March 20, requiring originators to use PAYROLL for wage and salary credits and PURCHASE for e-commerce debit entries.