According to NACHA, the ACH Network continues to see significant growth in ACH transactions, reporting a 5% rise in volume by end of Q2 2025, with a value of over 23.3 trillion dollars.
But with this proliferation, NACHA has also announced changes in your ACH program that will require enhanced fraud monitoring techniques starting in 2026. Faster money movement opens the door to fraud, and NACHA wants to ensure that your financial institution and your stakeholders are protected.
So bring on the phased approach to Fraud Monitoring and Risk Management, part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred. Let’s break down these new requirements and help you identify when and where these changes need to occur.
There are two dates coming up, and the general requirements, per NACHA’s website, include:
It’s also important to note that the March 20 deadline applies to all ODFI, non-Consumer Originators, Third-Party Service Providers and Third-Party Senders with annual ACH origination volume in 2023 of 6 million or greater. (The elimination of the volume threshold occurs with Phase 2, effective June 19, 2026, along with rules for credit monitoring for RDFIs.)
The overarching requirements that you need to think about are your policies, procedures, and monitoring systems. As always, we need to employ a risk-based approach to these rules – it is not necessarily standardized for everyone.
1. Policies and Procedures – NACHA clearly explains that we need to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.
a. The use of “commercially reasonable” has been eliminated as a standard and there is a new description of requirements such as “reasonably intended to identify.”
b. The use of the term “detection system” has been replaced with “processes and procedures.”
c. A review of your processes and procedures will now also be required at least annually.
d. It’s also time to review your written and approved policies, updating the language and reviewing the processes you follow today to ensure you’re doing everything you can to identify ACH Entries that may have been initiated due to fraud. This includes your review and approval process for new ACH originators, your accountholder due diligence, your file receipt and approval flow, and your monitoring and review controls.
2. Fraud Monitoring – Not a lot new here. The rules have required you to monitor WEB debits and micro-entries since 2021. The same changes listed above apply here:
a. Replacing “commercially reasonable” with “implementing adequate control systems to detect and prevent fraud.”
b. Replacing “detection system” with “processes and procedures.”
c. Applying risk-based techniques to ensure that the monitoring is aligned with being “relevant to the role the entity plays.”
d. The rules also clarify that monitoring is not required pre-processing; however, as we all know, the best way to stop fraud is to catch it before it leaves your institution!
e. A new requirement has been added that RDFIs (with annual ACH receipt volume of 10 million or greater in 2023 – by March 20) establish and implement risk-based processes and procedures designed to identify credit entries initiated due to fraud. Here they suggest having account profile information and historic activity to look for anomalies. This aligns with AML monitoring practices that are in place today, so it may not be a new process for your organization.
f. An important point made here is advocating for improved communication throughout the entire organization. Having a holistic view of accountholder activity all in one place – from Ops to Retail to Compliance – is beneficial.
3. False Pretenses
a. The rules introduce reference to a new term – false pretenses – defined as “The inducement of a payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”
b. They also note how identifying false pretense scenarios can aid in uncovering common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, etc.
c. Your best friend here – Having systems in place that utilize behavioral analysis to identify anomalies and alert you to suspicious activity.
The bottom line – as we have seen with regulatory guidance over the last 10+ years:
Conduct your risk assessment on how these rules apply to your accountholders’ activity.
Review and update your policies and procedures on an ongoing basis.
Partner with vendors who will help you not only remain in compliance but, as the ultimate goal of these rules implies, help mitigate losses for you and your accountholders.
Jack Henry’s Financial Crimes Defender™ platform can assist you with a holistic view of your clients and utilizes a hybrid approach to AML and fraud monitoring – with real-time interdiction of transactions in many cases. Learn more here or reach out to your Sales Executive today to talk about how we can help you in the fight against fraud!
Stay up to date with the latest people-inspired innovation at Jack Henry.
.svg)
