If your organization uses ACH payments, new fraud monitoring requirements now apply to you.
The changes are designed to address a growing reality: many of today’s most costly payment fraud attacks don’t involve unauthorized access or stolen credentials. Instead, they exploit trusted business processes to make fraudulent payments appear legitimate.
To address that risk, Nacha—the organization that governs the ACH Network, which powers everything from payroll and direct deposit to vendor and B2B payments—introduced significant new fraud risk management requirements in 2026.
Many finance teams know something has changed. Far fewer understand what the new rules actually require, who they apply to, and what organizations need to do before enforcement deadlines arrive.
This FAQ answers the most common questions AP and treasury teams are asking.
What Is Nacha and Why Is It Important Right Now?
Nacha (National Automated Clearing House Association) is the organization that governs the ACH Network—the payment rails that move trillions of dollars annually across the United States. Every direct deposit, vendor payment, payroll disbursement, and B2B transfer that moves through the ACH system does so under Nacha’s operating rules.
While Nacha updates those rules periodically, the 2026 changes are more significant than a routine compliance update. They expand fraud monitoring expectations beyond traditional payment validation and require organizations to take a more proactive, risk-based approach to detecting payment fraud. For finance teams that have long relied on existing controls, the new requirements create a higher standard for how fraud risk is monitored and managed.
Timing matters too. Phase 1 of the new requirements took effect on March 20, 2026, and applied to organizations originating six million or more ACH entries annually. Phase 2 takes effect on June 22, 2026, and eliminates the volume threshold. In other words, these aren’t rules aimed solely at the largest payment originators. Any organization that sends ACH payments should understand how the new requirements apply to its fraud prevention program.
If you’re unfamiliar with Nacha, read our Nacha Guide explaining who they are, what they do, and why the changes matters for organizations that send ACH payments.
What Actually Changed?
To better understand why the 2026 updates matter, it helps to know what came before them. Under the previous framework, Nacha’s fraud monitoring expectations were narrow and specific. Organizations were required to maintain a commercially reasonable fraud detection system, but that obligation applied primarily to internet-initiated consumer debits (including WEB entries and Micro-Entries). For most B2B payment operations, the practical implication was limited.
That has changed. Nacha now requires any business that originates ACH payments to implement a documented, risk-based fraud monitoring program. The program must monitor fraud throughout the payment lifecycle, and organizations must be able to demonstrate how their controls work, what risks they are designed to detect, and how they are reviewed over time.
The six core capabilities introduced or expanded under the new rules are:
- Risk-based fraud monitoring
- Detection of False Pretenses
- Establishment of behavioral baselines
- Anomaly detection
- Continuous monitoring throughout the payment lifecycle
- Documented annual review
Very few organizations have all of these capabilities in a form that meets the new standard. Many still rely on controls designed to validate payment data, while the new requirements are increasingly focused on detecting fraud that appears legitimate.
If you want a full breakdown of what each requirement demands in practice, read our detailed guide to the 2026 ACH fraud monitoring requirements.
Do These New Rules Actually Help Reduce Fraud?
Yes, because they address the way many modern ACH fraud attacks actually happen.
For years, payment controls focused on validating transactions: Is the account real? Is the payment authorized? Does the information match?
Those controls remain important, but many of today’s most costly fraud attacks don’t involve unauthorized access or invalid payment data. Instead, they exploit trusted business processes, allowing fraudulent payments to appear legitimate enough to pass existing controls.
This isn’t a rare edge case. Trustmi’s analysis of real-world payment fraud attacks found that 92% involved vendor or executive impersonation, highlighting how often attackers rely on deception rather than technical compromise. In many cases, the payment can pass account validation checks, approval workflows, and other traditional controls because the fraud is embedded within what appears to be a normal business process.
That’s why the new requirements are significant. They shift the focus from simply validating payment information to monitoring for risk across the broader payment workflow. Organizations are now expected to establish behavioral baselines, identify anomalies, and detect fraud before money moves.
In other words, the rules recognize a reality many finance teams already know: ACH fraud is no longer just a payment validation problem. It’s increasingly a behavioral fraud detection problem. That doesn’t mean compliance alone will stop fraud. But it does mean the framework is finally moving closer to the way modern payment fraud actually works.
So, Who Do These New Rules Apply To?
If your business uses ACH payments, these rules likely apply to you. More specifically, the requirements cover:
- Businesses that initiate ACH payments, including vendor payments, payroll, treasury transfers, and other outbound ACH transactions
- Banks and financial institutions that process ACH originations on behalf of their clients
- Third-party payment processors that transmit ACH entries on behalf of other organizations
- Technology and service providers that support ACH origination workflows
In other words, these requirements extend beyond financial institutions. If your organization originates, processes, or supports ACH payments, it should understand how the new rules apply to its payment fraud controls.
How Can Organizations Prepare Before the June 22 Deadline?
The most useful starting point is an honest assessment of where your current controls fall short relative to what Nacha now requires. Here is what organizations need to actually do:
- Map Your Monitoring Coverage: Trace every touchpoint where a payment originates and identify where monitoring currently exists and where it does not. Any gap before the payment file stage is a gap where False Pretenses fraud can enter undetected. Once you know where the blind spots are, you can prioritize closing them in order of risk exposure.
- Build Behavioral Baselines: Risk-based monitoring only works if you know what normal looks like. For significant vendor relationships, document the expected communication patterns, typical invoice amounts and timing, and historical frequency of banking detail changes.
- Replace Reconstructed Documentation: Organizations need a process that captures decisions, risk signals, and reviewer actions as a natural byproduct of how payments are processed.
- Evaluate Your Current Tooling: Assess whether your existing controls can detect a vendor impersonation. If the answer is no, that is the capability gap the Nacha compliance solution guide is designed to help you close.
The common thread across all of these requirements is visibility. Organizations need to understand what normal payment activity looks like, identify when something deviates from it, and document how fraud risk is monitored throughout the payment lifecycle.
Are Your ACH Fraud Controls Ready?
The new requirements aren’t just about compliance. They’re about detecting fraudulent payments that appear legitimate before money moves.
Take the Trustmi Nacha Readiness Assessment to evaluate your fraud monitoring program, identify potential gaps, and understand where your organization may be exposed.
Behavioral AI-powered security
Protection on day one
10-15x ROI
