Nacha 2026 ACH Fraud Rules: What Originators Must Know

article Summary

• Nacha’s 2026 rule changes expand ACH fraud monitoring requirements to include all covered Originators (not just banks), requiring risk-based processes to detect entries initiated due to fraud, including “False Pretenses” (authorized payments induced by deception).
• Originators must document and annually review their ACH fraud risk assessment, align monitoring controls to their payment types (payroll, vendor payments, disbursements, etc.), and implement appropriate exception handling and escalation procedures.
• New standardized ACH labeling requirements (PAYROLL and PURCHASE) improve network-wide fraud detection, while implementation rolls out in two phases in 2026 based on origination volume.
  
  

Nacha’s New ACH Fraud Monitoring Rules (2026): What Non Bank Payment Senders (Originators) Need to Know

February 23, 2026

Educational overview only, not legal advice.

If your organization originates ACH payments, Nacha’s (National Automated Clearing House Association) 2026 rules require you to be able to identify ACH entries that may be fraudulent, including payments that were technically authorized, but only because the sender was deceived (what Nacha calls “False Pretenses”).

These changes apply even if you are not a bank. If you originate ACH credits or debits directly, or support ACH origination as a processor, payroll provider, fintech platform, marketplace, AP/AR platform, or other non bank payments intermediary, you are in scope. On a high level, Nacha now expects organizations to understand where ACH fraud risk is most likely to arise, apply monitoring that fits how they make ACH payments, and periodically step back to make sure those controls still make sense. There are also some related labeling changes so suspicious activity can be identified and addressed earlier across the network.

This discussion is written from the perspective of non bank, non consumer Originators. Although the 2026 rules also affect Originating Depository Institutions (ODFIs), Third Party Senders (TPSs), and Third Party Service Providers (TPSPs), the expectations for those roles differ and are not addressed here.

Why Is Nacha Making These Changes?

The 2026 amendments are meant to reduce successful ACH fraud and improve the ability to recover funds when fraud occurs by expanding fraud monitoring. Fraud monitoring is expected to be a shared, network wide responsibility, covering both debits and credits, and must be tailored to the role each participant plays and revisited at least annually.

This reflects what many banks have already been expecting from higher risk Originators; the difference now is that those expectations are being stated explicitly and applied more consistently across the network. A major driver is the growth of credit push and social engineering schemes (where a payment may be “authorized,” but only because the sender was deceived), which is why the rules introduce and emphasize False Pretenses. In parallel, standardized ACH “labels” (like the new PAYROLL and PURCHASE Company Entry Descriptions) improve the signal in the file so banks and other participants can apply more targeted monitoring, especially around patterns like payroll redirection.

Nacha defines False Pretenses as inducing payment by misrepresenting identity, authority/association, or ownership of the account to be credited.

This can be associated with common BEC, vendor impersonation, and payroll impersonation patterns and similar “payee impersonation” frauds, i.e., the payer authorizes the payment, but under deception.

This does not cover disputes like scams involving fake, non existent, or poor quality goods or services.

Before vs. After: What Nacha Required (and Didn’t)

Here’s what changed for non bank operators.

Before (Pre 2026): Narrower, Channel Specific Fraud Controls

Historically, Nacha’s explicit fraud screening requirements for Originators were limited in scope, notably:

•    WEB (Online) Consumer Debits: Originators were required to use a “commercially reasonable” detection system, including validating first use consumer account information for WEB debits (effective March 19, 2021).

•    Micro Entries: Originators using micro entries also faced specific fraud detection and monitoring expectations.

After (2026): Role Based Fraud Monitoring Becomes Mandatory

Starting in 2026, Nacha requires covered parties to establish and implement risk based processes and procedures reasonably intended to identify ACH entries initiated due to fraud and to revisit those processes at least annually (Nacha Risk Management Topics: Fraud Monitoring Phase 1).

For Originators whose ACH activity is mostly payroll credits, vendor payments, and periodic awards or disbursements (including payments to nonprofits), the practical focus is identifying suspicious credits that may look authorized but were induced by deception.

For organizations with mature payment controls, this is likely not a rebuild. In most cases, the incremental work is limited to: (1) clearly assessing (and documenting) where False Pretenses risk is most likely to arise, (2) mapping existing approval, change management, and monitoring controls to that risk, and (3) periodically revisiting that assessment as payment activity and fraud tactics change.

New ACH “Labeling” Requirement: Standard Company Entry Descriptions (PAYROLL & PURCHASE)

Nacha is also standardizing how certain ACH payments are labeled in the ACH file to make monitoring easier across the network. Effective no later than March 20, 2026, Originators must use specific values in the Company Entry Description field for certain transactions: “PAYROLL” for all PPD credit entries that pay wages, salaries, or similar compensation (including contractor or 1099 compensation), and “PURCHASE” for e commerce purchase debits (consumer authorized online purchases, generally using the WEB debit SEC code).

For payroll and other compensation, “PAYROLL” must appear in the leftmost 7 characters of the field (with up to 3 remaining characters available for optional additional description). The intent is to give financial institutions clearer signals to support targeted monitoring and risk mitigation, such as spotting patterns consistent with payroll redirection.

Sample Originator Controls to Address ACH Fraud Risk

•    Dual Control (Maker/Checker) for Sensitive Actions: One person sets up or changes payee bank details or creates the ACH batch, and a different person independently approves and releases it.

•    Out of Band Verification for Payment Instruction Changes: Any request to change vendor or employee banking instructions is verified using pre existing, independently validated contact information (not the details provided in the request).

•    MFA and Least Privilege Access for Payment Systems: Require multi factor authentication for payment access (especially for release or changes), restrict privileges to only those who need them, and review access regularly.

•    Anomaly Monitoring with an Exception or Hold Queue: Flag outliers (such as unusual dollar amounts, velocity spikes, new payees or first payments, or unusual SEC code patterns) and route them for timely review.

•    Returns and Exceptions Monitoring with Escalation: Track unauthorized return codes (for example, R05, R07, R10, R11, R29, R51), investigate spikes or repeat patterns, and escalate quickly to leadership and your bank or processor when suspicious activity is identified.

Next Steps

Timing: Phase 1 vs. Phase 2

Nacha is rolling the new fraud monitoring rules out in two phases:

Phase 1 ,  Effective March 20, 2026 applies to Originators with 2023 origination volume of 6 million entries or more.

Phase 2 ,  Effective June 19, 2026 (Practically June 22, 2026 Due to the June 19 Holiday) applies to all remaining non consumer Originators not captured by Phase 1.

What You Do Need

•    A written explanation of how suspicious ACH activity is identified for your specific use cases.
•    An assessment explaining where ACH fraud risk is most likely to arise (payroll, vendor payments, refunds or disbursements, etc.).
•    Monitoring and exception handling steps that align with your volume, systems, and workflows. “Appropriate to risk” does not mean “no monitoring.” Some level of monitoring is expected, even for lower risk use cases.
•    A defined response process (who investigates, when processing is paused, and how your bank or ODFI is notified).
•    Evidence that the approach is reviewed and adjusted over time.

What You Don’t Have to Do

•    You do not need a specific tool or vendor. The rule is outcomes based and does not prescribe technology.
•    You do not have to review every ACH entry individually. Selective, exception based monitoring is acceptable, and in practice, that’s how most Originators operate today.
•    You do not have to monitor only pre processing (even though it can be effective). Post processing and periodic review approaches are permitted.

If you use a processor or other third party, it’s important to clearly define who performs which monitoring activities. As the Originator, however, you should still be able to explain where your risk lies, what controls address it, and how the approach is reviewed.

How Larson Can Help

If you’re already a Larson and Company client, we’re happy to talk through how these changes align with your existing payment controls and where modest updates may be needed.

For organizations that would benefit from a second set of eyes, we can help translate Nacha’s expectations into practical, defensible approaches that fit their payment volume and operating model.
If a discussion is helpful, please reach out.

Sources

Nacha. Risk Management Topics: Fraud Monitoring (Phase 1).
Available at: https://www.nacha.org/rules/risk-management-topics-fraud-monitoring-phase-1
Accessed February 16, 2026.

Nacha. Risk Management Topics: Fraud Monitoring (Phase 2).
Available at: https://www.nacha.org/rules/risk-management-topics-fraud-monitoring-phase-2
Accessed February 16, 2026.

Frequently Asked Questions About Nacha’s New ACH Fraud Monitoring Rules  

What are Nacha’s 2026 ACH fraud monitoring requirements?
Beginning in 2026, covered Originators must establish and implement risk-based processes reasonably intended to identify ACH entries initiated due to fraud, including payments induced by deception (“False Pretenses”), and must review those processes at least annually.

Do Nacha’s new ACH fraud rules apply to non-bank companies?
Yes. The rules apply to non-bank Originators that initiate ACH credits or debits, including payroll providers, fintech platforms, marketplaces, processors, AP/AR platforms, and other non-bank payment intermediaries.

What is “False Pretenses” under Nacha’s rules?
“False Pretenses” refers to situations where a payment is technically authorized but was induced through deception—such as business email compromise (BEC), vendor impersonation, or payroll redirection fraud involving misrepresentation of identity, authority, or account ownership.

What are the new ACH labeling requirements in 2026?
By March 20, 2026, Originators must use standardized Company Entry Descriptions:
“PAYROLL” for wage and compensation credits (PPD credits).
“PURCHASE” for certain e-commerce consumer debit transactions (typically WEB debits).
These labels help financial institutions apply targeted fraud monitoring.

When do the 2026 Nacha fraud monitoring rules take effect?
Implementation occurs in two phases:

Phase 1: Effective March 20, 2026, for Originators with 6 million or more entries (based on 2023 volume).

Phase 2: Effective June 19, 2026 (practically June 22, 2026), for all remaining non-consumer Originators.