Everything You Need to Know About the 2026 Nacha Operating Rules and Regulations

Starting in 2026, Nacha will expect every Automated Clearing House  (ACH) participant to have a risk-based fraud-monitoring controls, review it at least once a year, and maintain documentation showing how the controls work and how they evolve over time.

Phase 1 kicks in on March 20, 2026 for larger senders/receivers and all All Originating Depository Financial Institutions  (ODFIs).

Phase 2 follows on June 19, 2026 (practical compliance date June 22) and completes coverage for all remaining Originators, TPS/TPSPs, and Receiving Depository FI (RDFIs). If you start now, on three basics (1) a clear policy, (2) practical monitoring steps, and (2) simple proof of annual review, you’ll be in strong shape for exams and daily operations.

What’s Changing

• Fraud monitoring now applies across ACH, not just for WEB debits or select scenarios. Controls should match your role, scale, and level of risk.
• An annual review of monitoring practices is now explicit — and you must keep documentation of updates, decisions, and rationale.
• Nacha’s expansion targets scams often authorized under false pretenses (e.g., BEC/vendor impersonation, payroll redirection).
• New standard Company Entry Descriptions (like “PAYROLL” and “PURCHASE”) also go live in March 2026 as part of this rules package.

Who Is Covered and When

Phase 1 March 20, 2026

• All Originating Depository Financial Institutions (ODFIs)
• Non-consumer Originators and TPS/TPSPs with 6M+ originations in 2023
• RDFIs with 10M+ receipts in 2023

Phase 2 Effective June 22, 2026

• All remaining non-consumer Originators
• All remaining TPS/TPSPs
• All RDFIs

What Nacha Expects

• Use monitoring processes that are “reasonably intended” to identify suspicious ACH entries.
• You do not need to check every entry.
• Monitoring does not have to happen before posting.
• Controls should improve over time as fraud patterns shift — adjust thresholds, tune rules, update playbooks.
• Keep clear records: policies, procedures, annual reviews, and real examples of decisions.
• Document the rationale for your monitoring approach and timing.

How to Get Exam-Ready: Three Things to Show

1. Policy

A written risk assessment explaining how you scale controls based on:

Your role (ODFI, Originator, TPS/TPSP, RDFI)

• Customer type
• Standard Entry Class code (SEC code)
• Dollar thresholds
• New or changed payment instructions
• Higher-risk flows or account behaviors

2. Process

Practical, consistent steps for monitoring activity, such as:

• Thresholds or alerts for unusual activity
• Review steps for suspect transactions
• Who decides, when to hold or return funds, and how to escalate
• How you coordinate with counterparties (e.g., Originators or RDFIs)

3. Proof

Evidence that your program lives and breathes:

• A short annual review memo
• Change logs showing policy/procedure updates
• Case examples illustrating detection → decision → outcome
• Role Snapshots

ODFIs, Originators, TPS/TPSPs

• Monitor outbound volume, velocity, unusually high-dollar entries, sudden changes, and new payees.
• Watch for anomalies tied to known fraud types (vendor impersonation, payroll redirection).
• Coordinate with originators when something looks off — and document decisions.

RDFIs

• Monitor credits to new, dormant, or high-risk accounts.
• Watch for sudden bursts of activity or mismatches between SEC codes and account types.
• Document decisions when delaying availability or returning funds — especially when fraud may involve False Pretenses.

Why This Matters for Bankers

The expectation is shifting from “have alerts running somewhere” to a documented, risk-based, defensible fraud-monitoring program.

Clear policies, practical steps, and good evidence will make 2026 exams smoother and help reduce actual losses in the process.