Nacha's Two-Phase ACH Fraud Monitoring Mandate Begins, Reshaping Risk Obligations for Originators and Receivers Alike

The ACH network crossed a regulatory threshold on March 20, 2026, as Nacha's Fraud Monitoring Phase 1 amendments took effect. All Originating Depository Financial Institutions must now establish and implement risk-based processes and procedures reasonably intended to identify entries initiated due to fraud, whether those entries are unauthorized or authorized under false pretenses. The same requirement extends to non-consumer originators, third-party service providers, and third-party senders whose 2023 annual ACH origination volume exceeded 6 million entries.

On the receiving side, Phase 1 introduces a parallel obligation for Receiving Depository Financial Institutions with annual ACH receipt volume exceeding 10 million entries in 2023. These institutions must implement risk-based monitoring for incoming ACH credit entries that may have been initiated due to fraud. Nacha's guidance recognizes that RDFIs hold a unique vantage point, with visibility into incoming transaction patterns, account profile information, and historical account activity that can reveal anomalies such as unusual velocity, mismatched SEC codes, or suspicious patterns on newly opened accounts.

The rules deliberately avoid prescribing specific technologies or methods, instead requiring a risk-based approach that institutions must review at least annually for adequacy. Monitoring need not occur before processing, and ODFIs may consider the fraud detection steps taken by other participants in the origination chain when designing their own procedures. The concept of false pretenses is central to the new framework, covering scenarios where a payment is technically authorized but was induced through deception such as business email compromise, vendor impersonation, or payroll redirection fraud.

Phase 1 also mandates standardized values in the Company Entry Description field for certain transaction types. Originators must now use PAYROLL for all PPD credit entries that pay wages, salaries, or similar compensation, and PURCHASE for e-commerce purchase debits. This labeling requirement creates structured data that improves the ability of receiving institutions to apply transaction-type-specific risk rules.

The more consequential deadline arrives on June 19, 2026, when Phase 2 eliminates the volume thresholds entirely. From that date, all non-consumer originators, third-party service providers, and third-party senders must comply with the fraud monitoring mandate regardless of their origination or transmission volume. Because June 19 is a federal holiday, the practical compliance date shifts to Monday, June 22, 2026. This extension ensures that smaller participants, who may lack sophisticated fraud detection infrastructure, are nonetheless brought within the governance framework.

The two-phase approach reflects the shift in ACH fraud losses toward credit-push fraud, particularly business email compromise and payroll redirection schemes. By mandating monitoring on both the originating and receiving sides of the network, the rules create overlapping layers of detection intended to increase the probability of intercepting fraudulent entries before funds are dispersed.