Nacha’s 2026 ACH Rules: Raising the Bar on Scam Prevention

Nacha’s 2026 rule changes mark a turning point for ACH, which is now expected to operate as a fully monitored fraud rail rather than just a low-cost payment channel. Nearly all non-consumer originators, third parties, and financial institutions must implement documented, risk-based monitoring focused on scams such as vendor impersonation, payroll diversion, and BEC driven payments. This is not just a compliance tweak, but a mandate to demonstrate that ACH scam controls are in place, effective, and continuously improving.

What changes in 2026

Nacha is targeting credit‑push fraud and payments sent under false pretenses, including vendor impersonation, payroll diversion, and BEC‑driven ACH credits. The rules create network‑wide expectations for fraud monitoring and better data, including standardized Company Entry Descriptions (e.g., payroll, purchase) that support anomaly detection. Participants must reviewand update fraud monitoring processes at least annually.

Who is impacted and when

The requirements roll out in two phases, starting with high‑volume participants and then extending to everyone. Smaller institutions and originators are fully inscope by mid‑2026.

·       Phase 1 – March 20, 2026
Originating Depository Financial Institution (ODFI)s and non‑consumer Originators/Third-Party Service Providers (TPSP)s/Third Party Senders (TPS)s with ≥6M originated entries in 2023, and RDFIs with ≥10M received entries in2023.

·       Phase 2 – June 2026
Same monitoring expectations for all remaining non‑consumer Originators, TPSPs, TPSs, and Receiving Depository Financial Institution (RDFI)s, regardless of ACH volume.

What Nacha expects

Nacha is moving from loose “commercially reasonable” language to documented, auditable programs. The sophistication of controls should match each institution’s risk and volume, but the obligation to monitor for scams is now universal.

Core expectations:

·      Documented, risk‑based processes to identify ACH transactions initiated due to fraud, including credit‑push scams

·      Controls spanning onboarding, authentication, payee/account changes, and ongoing transaction monitoring

·      Governance: regular reviews, tuning, and proof that controls work for Nacha and examiners

Why this matters and how Conduit helps

The liability framework for authorized credit push fraud is not being rewritten, but weak ACH fraud programs will increasingly lead to enforcement actions, fines, and reputational damage when customers lose money. Institutions that strengthen ACH scam defenses now can turn Nacha’s 2026 rules into an advantage, not just another compliance box to check.

Conduit Security’s real-time controls, monitoring and workflows are built for this moment, aligning with Nacha’s push for proactive, risk-based fraud programs while helping institutions better protect customers from scams.