Nacha’s Phase 2 ACH Fraud Monitoring Rules Take Practical Effect

Phase 2 removes the volume thresholds

The amendments formally carry an effective date of June 19, 2026. Because June 19 is a U.S. federal holiday, Nacha designated Monday, June 22 as the practical effective date and instructed affected parties to comply no later than that date.

Phase 1, which took effect on March 20, covered all Originating Depository Financial Institutions, larger non-consumer Originators and service providers, and RDFIs whose 2023 ACH receipt volume exceeded the stated threshold.

Phase 2 removes those volume thresholds. It brings the remaining non-consumer Originators, Third-Party Service Providers, Third-Party Senders and RDFIs into the fraud monitoring framework, regardless of their ACH transaction volume.

A risk-based process is required

The rules do not prescribe one fraud detection product, technical architecture or scoring model.

Instead, affected organizations must establish and implement risk-based processes and procedures reasonably intended to identify ACH entries suspected of being unauthorized or initiated under false pretenses. Those procedures must remain relevant to the role that each organization plays in originating, transmitting or receiving ACH transactions.

Nacha also requires organizations to review these processes at least annually and update them as fraud patterns and operational risks evolve.

The rules do not require every transaction to be reviewed manually. They also do not require all monitoring to take place before an entry is processed. Organizations can design controls based on transaction risk, account behavior, operational responsibilities and existing monitoring capabilities.

False pretenses receive explicit attention

The amendments define false pretenses as cases in which a payment is induced through misrepresentation involving a person’s identity, authority, association with another party or ownership of the receiving account.

This definition covers common payment fraud scenarios including:

• Business email compromise
• Vendor impersonation
• Payroll instruction fraud
• Payee impersonation
• Account takeover

The focus reflects the growing importance of credit-push fraud, where an authorized employee or customer is manipulated into sending money to an account controlled by a fraudster.

What affected organizations should review

Organizations that originate or support ACH payments should assess whether their current controls cover the full payment instruction lifecycle.

Key areas include:

• Payment detail changes: Introduce verification controls when bank account information for a supplier, employee or other payee changes.
• Transaction anomalies: Monitor unusual changes in payment frequency, amount, velocity, recipient or SEC Code.
• Access and approval controls: Review account permissions, approval thresholds and segregation of duties.
• Escalation procedures: Define how suspicious transactions are paused, investigated and communicated to banking partners.
• Documentation: Maintain records of the risk assessment, monitoring procedures, alerts and annual reviews.

Nacha allows organizations flexibility in how responsibilities are allocated between Originators, service providers and financial institutions. However, any reliance on another participant should be clearly documented and subject to appropriate oversight.

What this means for international businesses

Companies using ACH for U.S. payroll, supplier payments, refunds or other business transactions may face additional control requirements from banks and payment providers.

The rules do not mean that every company accepting payments in the United States is automatically subject to the same obligations. Applicability depends on the organization’s role in the ACH transaction and whether it acts as a non-consumer Originator or through a covered service provider.

Businesses should confirm their responsibilities with their bank, payment partner and compliance advisers. They should also expect more attention to payment instruction changes, account validation, transaction monitoring and audit records.

The wider signal is clear: payment fraud monitoring is becoming a shared responsibility across the transaction chain, rather than a control performed only by the originating or receiving bank.