ACH Risk Management: Understanding NACHA’s Rule Changes

April 29, 2024

By: Mindy Shadoin, Consultant at Young & Associates

On March 15, 2024, Nacha (previously the National Automated Clearing House or NACHA) approved 15 new Automated Clearing House (ACH) rule changes surrounding ACH risk management. These changes are specifically targeted at reducing the incidence of successful fraud and improving the recovery of funds.  

Overview of NACHA’s Rule Changes 

These new rules establish a base-level of ACH payment monitoring on all parties in the ACH Network, except consumers. The new rules do not shift the liability for ACH payments; however, receiving financial institutions or RDFIs will have a defined role in monitoring the ACH payments they receive.  

Rule Changes Effective June 2024 

The following rule changes take effect June 21, 2024: 

  • General Rule Definitions for Web Entries: Rewords the WEB general rule and definition in Article Eight to make is clearer that the WEB SEC Code must be used for all consumer-to-consumer credits regardless of how the consumer communicates the payment instructions to the Originating Depository Financial Institution (ODFI) or P2P service provider.  
  • Definition of Originator: Clarifies changes and alignments to the definitions of Originator to include a reference to the Originator’s authority to credit or debit the Receiver’s account and that the Rules do not always require a receiver’s authorization (Reversals, Reclamations, Person-to-Person Entries).  
  • Originator Action on Notification of Change (NOC): Provides Originators discretion to make NOC changes for a Single Entry, regardless of the SEC Code.  
  • Data Security Requirements: Clarifies that, once a covered party meets the volume threshold for the first time, the requirement to render account numbers unreadable remains in effect, regardless of future volume.  
  • Use of Prenotification Entries: Aligns the prenote rules with industry practice by removing language that limits prenote use to only prior to the first credit or debit entry.  
  • Clarification of Terminology: Subsequent Entries: Replace references to “subsequent entry” in various Rules sections with synonymous terms to avoid any confusion with the new definition of “Subsequent Entry.” 

Rule Changes Effective October 2024  

The following rule changes take effect October 1, 2024: 

  • Additional Funds Availability Exceptions: Provide RDFIs with an additional exemption from the funds availability requirements to include credit ACH entries that the RDFI suspects are fraudulent. 
  • Codifying Use of Return Reason Code R17: Allow RDFIs to return an entry believed to be fraudulent using Return Reason Code R17. 
  • Expand Use of ODFI Request for Return/R06: Expand the permissible uses of the Request for Return Reason Code (R06) to allow an ODFI to request a return from the RFI for any reason. 
  • RDFI Must Promptly Return Unauthorized Debit: Require that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth Business Day following the completion of its review of the consumer’s signed Written Statement of Unauthorized Debit (WSUD).  
  • Timing of Written Statement of Unauthorized Debit (WSUD): Allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver, even if the debit has not yet been posted to the account.  

Rule Changes Effective 2026 

The following rule changes take effect March 20, 2026: 

  • Company Entry Description – Payroll: Establish a new standard description of Payroll for PPD Credits for payment of wages, salaries, and other similar types of compensation. 
  • Company Entry Description – Purchase: Establish a new standard description of PURCHASE for e-commerce purchases. 

The following rule changes take effect in two phases.  

  • Phase 1 is effective March 20, 2026, for all ODFIs and non-Consumer Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs) with an annual ACH origination volume of 6 million or greater in 2023. 
  • Phase 2 is effective June 19, 2026, for all other non-Consumer Originators, TPSPs, and TPSs   
    • Fraud Monitoring by Originators, TPSPs, and ODFIs: Requires each non-Consumer Originator, ODFI, TPSP, and TPS to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud. 
    • RDFI ACH Credit Monitoring: Requires RDFIs to establish and implement risk-based processes and procedures reasonably intended to identify credit ACH Entries initiated due to fraud.  

Ensuring A Secure ACH Landscape Through Proactive Risk Mitigation 

The recent ACH rule changes approved by NACHA signify a significant step towards enhancing ACH risk management and fraud prevention within the financial industry. These changes aim to reduce the incidence of successful fraud and improve the recovery of funds, ultimately safeguarding the integrity of the ACH Network. 

With the implementation of these rule changes, financial institutions and other stakeholders involved in ACH transactions will need to adapt their policies, procedures, and risk management processes accordingly. It’s essential for organizations to stay informed about these regulatory updates and ensure compliance to mitigate ACH-related risks effectively. 

Enhance Your ACH Risk Management Framework with Young & Associates’ Proven Expertise 

Are you seeking expert guidance and support to navigate these ACH rule changes and ensure compliance with regulatory requirements? At Young & Associates, we understand the unique challenges faced by financial institutions in today’s evolving regulatory landscape.

We specialize in providing tailored regulatory compliance consulting services, including comprehensive support with ACH functions such as ACH audit and ACH risk assessment. Our team of experienced professionals is committed to helping you strengthen your ACH risk management practices and achieve regulatory compliance seamlessly. 

Contact us today to explore how we can assist your financial institution in meeting its regulatory obligations while optimizing operational efficiency and minimizing risk exposure. Or, click here to discover the benefits of our customizable ACH policy. Together, let’s navigate the complexities of ACH compliance and ensure the security and integrity of your financial transactions.

Get Our Insights

Connect with a consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution