Nacha’s June 2026 Fraud Rule Now Covers Every ACH Sender
The Nacha Fraud Monitoring Rules Now Apply to Every Business That Sends ACH
For most of the history of the ACH network, fraud-monitoring obligations sat with the banks and the largest payment originators. If your business sent payroll, paid vendors, or collected payments by bank transfer, the rules that governed fraud detection were somebody else’s problem — your bank’s, or your payroll provider’s.
That is no longer true. As of the Phase 2 effective date, the Nacha fraud monitoring rules apply to every non-consumer business that originates ACH entries, regardless of how few you send. A 15-person nonprofit sending twenty vendor payments a month is now held to the same baseline standard as a Fortune 500 company. There is no minimum-volume threshold and no exemption for small senders.
This post explains what the Nacha fraud monitoring requirement actually involves, who it covers, what the realistic deadline is, and what a compliant process looks like for a small or mid-sized business. It is written for the merchant or business owner who originates ACH — not for the bank.
The rule’s official effective date is June 19, 2026. But June 19 is Juneteenth, a federal banking holiday, so Nacha has stated the practical compliance date is the next banking day: Monday, June 22, 2026. Do not treat the holiday as breathing room — your process needs to exist before that Monday.
Phase 1 vs Phase 2 — and Why Phase 2 Is the One That Affects You
Nacha rolled the fraud-monitoring requirement out in two phases, sequenced by size. Phase 1 took effect March 20, 2026 and applied only to the largest participants: originators that processed six million or more ACH entries in 2023, along with the originating banks themselves. If you are reading this and wondering whether it applies to your business, you were almost certainly not in Phase 1.
Phase 2 is different precisely because it removes the threshold. It extends the same Nacha fraud monitoring obligation to every remaining non-consumer originator, third-party sender, and third-party service provider — and, on the receiving side, to all banks regardless of volume. The phased structure was designed to give larger, higher-risk participants an earlier deadline while giving smaller businesses extra time to build a program. That extra time is now nearly gone.
If your business initiates an ACH transaction — sending payroll to employees, paying a supplier by bank transfer, or pulling a recurring payment from a customer’s account — you are an ACH originator. That is the role the rule covers. Receiving an occasional ACH credit does not make you an originator; initiating the entry does.
What the Rule Actually Requires You to Do
The core obligation is to establish and implement risk-based processes and procedures reasonably intended to identify ACH entries initiated due to fraud. Two phrases in that sentence carry most of the weight, and understanding them is the difference between a compliant program and a checkbox that fails under scrutiny.
“Risk-based” means you do not have to inspect every transaction. You are expected to identify where fraud risk concentrates in your operation — payroll changes, new vendor setups, first-time payments, banking-detail updates — and focus monitoring there. The monitoring also does not have to happen before a payment posts; detection can be after the fact, as long as it is systematic.
“Reasonably intended” means the rule does not prescribe a specific tool or method. It expects a documented, defensible approach proportionate to your volume and systems — not a particular software product. What it explicitly will not accept, however, is manual two-person approval as your entire program. Nacha has stated that human approval alone is no longer sufficient; you need processes that operate across your full payment volume.
The rule also expands what counts as fraud. Beyond unauthorized transactions, it now covers entries authorized “under false pretenses” — a new term aimed squarely at the scams that actually drain business accounts.
Nacha defines false pretenses as inducing a payment by misrepresenting one’s identity, one’s authority to act for another party, or the ownership of the account being credited. In practice this is business email compromise and vendor impersonation: the fake “our banking details have changed” email, the spoofed CEO requesting an urgent wire-like ACH, the payroll-redirect scam. These are payments the business authorized — which is exactly why they slip past old controls.
Account Verification and the New Entry Descriptions
The Nacha fraud monitoring mandate arrived alongside two companion requirements in the same 2026 rules package that are easy to overlook. Both are mandatory, not optional, and both can trigger problems if ignored.
The first is account verification on ACH credits. Every ACH credit you originate needs a verified recipient account, with the verification method, date, and outcome retained. Email-only confirmation of a recipient’s banking details does not satisfy this — which is the direct countermeasure to the vendor-impersonation scams the false-pretenses language targets.
The second is standardized Company Entry Descriptions, which went live in March 2026. Descriptions such as “PAYROLL” and “PURCHASE” are now mandatory for the relevant entry types. Treating them as cosmetic is a mistake: a non-compliant entry description can trigger return reason codes and additional bank scrutiny, and your payroll provider, accounts-payable system, and any e-commerce billing all need to be checked for compliance.
For a small or mid-sized originator, compliance is largely about documenting what you already do and closing the obvious gaps — a written policy, a risk assessment naming your high-risk payment scenarios, and a monitoring routine sized to your volume. The cost is usually time and discipline, not an enterprise fraud platform.
What a Compliant Process Looks Like for a Smaller Business
You do not need a fraud-operations department. You need a documented, defensible Nacha fraud monitoring program with a few specific pieces in place before the June 22 banking day:
- A written fraud-monitoring policy — a short document explaining how your business identifies suspicious ACH activity for your specific use cases.
- A risk assessment — a plain statement of where ACH fraud is most likely to arise in your operation: payroll updates, vendor banking-detail changes, refunds, disbursements, first-time payees.
- Monitoring and exception-handling steps — how flagged activity gets reviewed and resolved, aligned to your actual volume, systems, and workflows.
- An account-verification routine — a method for confirming recipient bank details that does not rely on email alone, with records of method, date, and outcome kept for at least two years.
- An annual review — the rule expects you to revisit and update your processes at least once a year as fraud patterns shift.
If your business is moving B2B payments toward bank transfer — which a growing number of merchants are, given the cost advantage over cards — this compliance work is part of doing ACH correctly rather than a separate burden. The same logic that makes routing B2B payments to ACH instead of cards a smart cost decision also makes a clean Nacha fraud monitoring program a requirement of running that rail well. For the mechanics of how bank-transfer acceptance works, see our overview of ACH payment processing.
Frequently Asked Questions
The Phase 2 effective date is June 19, 2026, but because that is the Juneteenth federal holiday, Nacha has stated the practical compliance date is the next banking day — Monday, June 22, 2026. If your business originates ACH and was not already covered under Phase 1 (six million-plus entries in 2023), this is your deadline.
Yes. Phase 2 eliminates the volume threshold entirely. Any non-consumer originator, third-party sender, or service provider must comply regardless of how few entries you send. There is no small-business exemption — a low-volume nonprofit is held to the same baseline standard as a large corporation.
No. The rule is “risk-based” and “reasonably intended” — it requires a documented, defensible process proportionate to your volume, not a specific product. What it will not accept is manual two-person approval as your entire program. For most small originators, compliance is a written policy, a risk assessment, a monitoring routine, and an account-verification step.
More on ACH and B2B payment strategy
Send Us Your Setup. We’ll Show You Where the ACH Gaps Are.
If your business originates ACH for payroll, vendor payments, or customer collections, the June 22 deadline applies to you. Send Brookside how you currently send and verify those payments, and we’ll tell you what a compliant, right-sized fraud-monitoring process looks like for your volume — and where ACH can cut your card costs at the same time. The review takes about fifteen minutes of your time. Learn more about payment processing consumer protections from the CFPB.
Get Your Free Payment ReviewNo obligation • No pressure • Response within one business day