By Mindy Shadoin, Consultant, Young & Associates

On March 15, 2024, Nacha announced significant updates to ACH (Automated Clearing House) Rules, aimed at enhancing fraud management and improving the recovery of funds. These updates are set to roll out in phases, with some changes effective as early as June 2024 and others beginning March 20, 2026. This article summarizes the key changes that will take effect in 2026, providing a concise overview of what community financial institutions need to know.

Key Changes Effective March 2026

The changes effective March 20, 2026, are designed to address fraud more effectively and enhance the recovery of funds when fraud occurs. Institutions must adapt to these new rules to comply with regulatory requirements and improve their fraud detection and management practices.

Fraud Monitoring (Phase 1)

Who’s Affected: Originating Deposit Financial Institutions (ODFIs) and each Non-Consumer Originator, Third-Party Service Provider, and Third-Party Senders with annual ACH origination volume of six million or greater in 2023.

Requirements: Institutions must implement risk-based processes for ACH entry fraud detection and review these processes annually. The final rule emphasizes specific process requirements over the previous “commercially reasonable” standard.

Reason: The amendment is designed to cut down on fraud. By regularly monitoring for fraud, institutions can create a baseline of normal activity, which makes it easier to spot unusual or suspicious behavior.

RDFI ACH Credit Monitoring

Who’s Affected: Receiving Depository Financial Institutions (RDFIs) with annual ACH receipt volumes of 10 million or more in 2023.

Requirements: RDFIs must develop fraud detection systems for incoming credit entries, using a risk-based approach to monitor transaction patterns and account anomalies.

Reason: The rule aims to decrease successful fraud and improve the recovery of funds in case of fraud. It supports an institution’s regulatory duty to monitor suspicious transactions. Additionally, it promotes better communication between compliance, operations, product management, and relationship staff.

New Definitions and Descriptions

False Pretenses

The updated rules introduce the term “False Pretenses,” which refers to fraud involving misrepresentations of identity, authority, or account ownership. This definition aims to cover common fraud scenarios like Business Email Compromise (BEC) and vendor impersonation, enhancing clarity in handling such cases.

Standard Company Entry Description: Payroll

Effective March 20, 2026, regardless of ACH volume, all Prearranged Payment and Deposit Entry (PPD) Credits for wages and similar compensation must include the description “PAYROLL” in the Company Entry Description field. This standardization will help RDFIs better identify payroll-related transactions and prevent fraud associated with payroll redirections.

Standard Company Entry Description: Purchase

Effective March 20, 2026, regardless of ACH volume, this amendment requires that e-commerce purchases use the description “PURCHASE” in the Company Entry Description field. This change will help differentiate e-commerce transactions and prevent misclassification of transactions.

Changes Effective June 2026

Fraud Monitoring (Phase 2)

Starting June 22, 2026, the rules from Phase 1 will apply to all RDFIs not previously covered. These Phase 2 changes will further enhance fraud detection and fund recovery processes, ensuring comprehensive coverage across the industry.

Preparing for the Nacha Rule Changes

The upcoming changes to the Nacha Operating Rules represent a significant step forward in managing ACH fraud and improving fund recovery. Financial institutions will need to prepare by refining their fraud monitoring processes and adapting to the new definitions and descriptions outlined in these rules. For detailed information, you can find the Nacha Operating Rules and Guidelines on Nacha’s website.

Staying informed and compliant with these rules will be crucial for maintaining effective fraud management and regulatory adherence. This article provides a simplified overview of these updates, focusing on key changes and their implications. For a more comprehensive understanding, inquire about the in-depth article featured in the August edition of our Compliance Update newsletter, including details on the final rule changes, adjustments from the original proposal issued in May 2023, and specific actions required.

Each month, our Compliance Update newsletter offers in-depth analysis and insights on regulatory updates and amendments impacting the banking industry. Our compliance experts review new developments and provide valuable guidance to help you maintain regulatory compliance and navigate the evolving landscape. To receive timely and detailed compliance information, we encourage you to subscribe. Click here to learn more about our Compliance Update newsletter and purchase a subscription.

Additionally, Young & Associates provides a full suite of regulatory compliance consulting services tailored to meet the unique needs of your institution. Our offerings include ACH self-assessment reviews, compliance outsourcing, our Virtual Compliance Consultant Program, and more, designed to simplify complex regulatory requirements and allow you to focus on strategic goals. For more information on how we can support your institution, please contact us.

By: Mindy Shadoin, Consultant at Young & Associates

On March 15, 2024, Nacha (previously the National Automated Clearing House or NACHA) approved 15 new Automated Clearing House (ACH) rule changes surrounding ACH risk management. These changes are specifically targeted at reducing the incidence of successful fraud and improving the recovery of funds.  

Overview of NACHA’s Rule Changes 

These new rules establish a base-level of ACH payment monitoring on all parties in the ACH Network, except consumers. The new rules do not shift the liability for ACH payments; however, receiving financial institutions or RDFIs will have a defined role in monitoring the ACH payments they receive.  

Rule Changes Effective June 2024 

The following rule changes take effect June 21, 2024: 

• General Rule Definitions for Web Entries: Rewords the WEB general rule and definition in Article Eight to make is clearer that the WEB SEC Code must be used for all consumer-to-consumer credits regardless of how the consumer communicates the payment instructions to the Originating Depository Financial Institution (ODFI) or P2P service provider.  
• Definition of Originator: Clarifies changes and alignments to the definitions of Originator to include a reference to the Originator’s authority to credit or debit the Receiver’s account and that the Rules do not always require a receiver’s authorization (Reversals, Reclamations, Person-to-Person Entries).  
• Originator Action on Notification of Change (NOC): Provides Originators discretion to make NOC changes for a Single Entry, regardless of the SEC Code.  
• Data Security Requirements: Clarifies that, once a covered party meets the volume threshold for the first time, the requirement to render account numbers unreadable remains in effect, regardless of future volume.  
• Use of Prenotification Entries: Aligns the prenote rules with industry practice by removing language that limits prenote use to only prior to the first credit or debit entry.  
• Clarification of Terminology: Subsequent Entries: Replace references to “subsequent entry” in various Rules sections with synonymous terms to avoid any confusion with the new definition of “Subsequent Entry.” 

Rule Changes Effective October 2024  

The following rule changes take effect October 1, 2024: 

• Additional Funds Availability Exceptions: Provide RDFIs with an additional exemption from the funds availability requirements to include credit ACH entries that the RDFI suspects are fraudulent. 
• Codifying Use of Return Reason Code R17: Allow RDFIs to return an entry believed to be fraudulent using Return Reason Code R17. 
• Expand Use of ODFI Request for Return/R06: Expand the permissible uses of the Request for Return Reason Code (R06) to allow an ODFI to request a return from the RFI for any reason. 
• RDFI Must Promptly Return Unauthorized Debit: Require that when returning a consumer debit as unauthorized in the extended return timeframe, the RDFI must do so by the opening of the sixth Business Day following the completion of its review of the consumer’s signed Written Statement of Unauthorized Debit (WSUD).  
• Timing of Written Statement of Unauthorized Debit (WSUD): Allow a WSUD to be signed and dated by the Receiver on or after the date on which the Entry is presented to the Receiver, even if the debit has not yet been posted to the account.  

Rule Changes Effective 2026 

The following rule changes take effect March 20, 2026: 

• Company Entry Description – Payroll: Establish a new standard description of Payroll for PPD Credits for payment of wages, salaries, and other similar types of compensation. 
• Company Entry Description – Purchase: Establish a new standard description of PURCHASE for e-commerce purchases. 

The following rule changes take effect in two phases.  

• Phase 1 is effective March 20, 2026, for all ODFIs and non-Consumer Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs) with an annual ACH origination volume of 6 million or greater in 2023. 
• Phase 2 is effective June 19, 2026, for all other non-Consumer Originators, TPSPs, and TPSs   
  • Fraud Monitoring by Originators, TPSPs, and ODFIs: Requires each non-Consumer Originator, ODFI, TPSP, and TPS to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud. 
  • RDFI ACH Credit Monitoring: Requires RDFIs to establish and implement risk-based processes and procedures reasonably intended to identify credit ACH Entries initiated due to fraud.  

Ensuring A Secure ACH Landscape Through Proactive Risk Mitigation 

The recent ACH rule changes approved by NACHA signify a significant step towards enhancing ACH risk management and fraud prevention within the financial industry. These changes aim to reduce the incidence of successful fraud and improve the recovery of funds, ultimately safeguarding the integrity of the ACH Network. 

With the implementation of these rule changes, financial institutions and other stakeholders involved in ACH transactions will need to adapt their policies, procedures, and risk management processes accordingly. It’s essential for organizations to stay informed about these regulatory updates and ensure compliance to mitigate ACH-related risks effectively. 

Enhance Your ACH Risk Management Framework with Young & Associates’ Proven Expertise 

Are you seeking expert guidance and support to navigate these ACH rule changes and ensure compliance with regulatory requirements? At Young & Associates, we understand the unique challenges faced by financial institutions in today’s evolving regulatory landscape.

We specialize in providing tailored regulatory compliance consulting services, including comprehensive support with ACH functions such as ACH audit and ACH risk assessment. Our team of experienced professionals is committed to helping you strengthen your ACH risk management practices and achieve regulatory compliance seamlessly. 

Contact us today to explore how we can assist your financial institution in meeting its regulatory obligations while optimizing operational efficiency and minimizing risk exposure. Or, click here to discover the benefits of our customizable ACH policy. Together, let’s navigate the complexities of ACH compliance and ensure the security and integrity of your financial transactions.