ACH Fraud and Nacha’s New Rules: Why Now Is The Time To Act

The scale and sophistication of consumer scams in today’s digital economy are staggering. Globally, losses related to these scams reached $43.6 billion in 2023, with business email compromise (BEC)—a type of social engineering attack that exploits trust in email communications—accounting for $6.7 billion in losses alone.

Despite this risk, the Association of Financial Professionals reported in 2024 that less than 60% of institutions have developed procedures to safeguard against BEC. More than half of those have never tested their effectiveness. When fraud detection is siloed, resulting in overwhelming volumes of false‑positive alerts, financial institutions are unable to respond effectively, leaving them open to real threats.

An attempt to solve the problem

The 2026 rules from the National Automated Clearing House Association (Nacha) are a direct response to the evolving landscape of ACH fraud. The Nacha ACH Network has reported 11 consecutive years of growth, adding $1 trillion in transaction volume each year— a testament to the critical role ACH payments play in commerce. But as the network expands, so do the opportunities for fraudsters, who are relentlessly following the money.

The new rules are designed to address the challenges of detecting fraudulent transactions authorized through social engineering and other attacks that target ACH payments. The updates require both receiving depository financial institutions (RDFIs) and originating depository financial institutions (ODFIs) to rigorously assess both sides of an ACH payment, analyzing all 17 monetary Standard Entry Class (SEC) codes. This comprehensive approach strengthens fraud detection across the entire transaction lifecycle.

The goal is clear: empower institutions to identify and respond to sophisticated fraud schemes, including authorized push payment scams, which are particularly insidious, as these scams exploit the legitimacy of customer‑initiated payments, making recovery difficult and rendering traditional authentication controls ineffective.

The Nacha rules fundamentally shift the compliance landscape for financial institutions. They place the onus on all financial institutions within the ACH network to monitor transactions comprehensively. Here is what is changing:

• RDFI monitoring: Institutions must implement risk‑based monitoring to flag suspicious incoming ACH credit entries. This includes collaborating with receivers and ODFIs on risk and recovery strategies and updating policies as part of annual ACH audits.
• ODFI monitoring: Institutions must expand their monitoring of all 17 monetary SEC codes to look for anomalies and inconsistencies with transaction types.
• Transaction lifecycle monitoring: Institutions need to monitor conditions such as SEC code alignment, unusual dollar amounts, suspicious payees and account age. The rules emphasize a holistic approach, requiring analysis of both payor and payee sides of ACH transactions.

Importantly, the rules empower RDFIs to return incoming transactions deemed risky—even without a request from the ODFI. Institutions can delay funds availability for further investigation, provided the delay is risk‑based and not a blanket policy.

Early preparation is critical. Financial institutions must:

1. Review the new rules
   Understand what’s changing in March 2026 to evaluate current ACH fraud monitoring controls and identify gaps.
2. Perform a gap assessment
   Assess systems and internal policies to determine readiness for process changes for both incoming and outgoing ACH payments.
3. Update monitoring procedures
   Implement or refine risk‑based monitoring for both RDFIs and ODFIs, ensuring procedures are regularly audited and updated.
4. Collaborate across the ecosystem
   Work with originators, receivers and other institutions to align on fraud detection and recovery strategies.

A collaborative, data‑driven approach

The challenge ahead is significant, but a collaborative approach that leverages consortium data can help align SEC codes with expected transaction types and analyze behavioral data for a complete view of both sides of ACH transactions.

Financial institutions must break down silos and embrace consortium data sharing to gain a holistic view of transaction risk. By pooling anonymized fraud patterns and mule‑account identifiers across organizations, institutions can detect threats that might be invisible when viewed in isolation. This approach not only improves fraud detection but also reduces false positives, streamlining operations and enhancing the customer experience.

With the March 20, 2026, deadline fast approaching, financial institutions must act immediately to meet Nacha’s new requirements. Early compliance will better position organizations to protect customers, avoid fines and penalties and stem the tide of financial crime.

No single institution can be effective on its own; the problem—and the solution—are shared. Working together, institutions can build a defensive multiplier effect, implementing proactive controls based on industry‑wide threat intelligence rather than reacting to incidents in isolation.

The path forward is clear: embrace a whole‑of‑transaction approach, leverage consortium data and collaborate across the ecosystem. By doing so, financial institutions can not only meet regulatory requirements but also build a safer, more resilient payment network for everyone.

Let’s move beyond compliance. Let’s build a community of trust and security in the ACH network. The time to act is now.

Colin Parsons is Vice President of Product.