Contents
Understanding the 2026 Nacha Risk Management Rules
by Dale Erling | 15+ Years payment & fintech experience | February 2026 | 4 minute read
Executive Summary
The March 20, 2026, Nacha Phase 1 deadline introduces significant fraud monitoring requirements across the ACH Network. These rule amendments are part of a larger Risk Management package intended to reduce successful fraud attempts and improve fund recovery. For the first time, receiving depository financial institutions (RDFIs) will have a formally defined role in monitoring incoming ACH credits. See also our post NACHA 2026: Moving Beyond Account Validation to Proactive Fraud Monitoring here
Key Regulatory Changes
The “False Pretenses” Standard
The new rules introduce “false pretenses” as a defined term, requiring organizations to establish risk-based processes and procedures reasonably intended to identify ACH entries that are unauthorized or authorized under false pretenses. This replaces the previous “commercially reasonable” standard that applied only to WEB debits and Micro-Entries.
Nacha defines false pretenses as: “The inducement of a payment by a person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”
This definition explicitly covers common fraud scenarios including Business Email Compromise (BEC), vendor impersonation, and payroll redirection—where payments are technically authorized but based on deceptive information.
Expanded RDFI Responsibilities
For the first time, RDFIs have a formally defined monitoring role. Based on their monitoring, an RDFI may:
- Delay funds availability (within Regulation CC limits) to examine payments more closely
- Return suspicious transactions on their own initiative using Return Code R17 (“Questionable”)
- Contact the ODFI via the ACH Contact Registry to determine transaction validity
Important: The rules do not require pre-posting monitoring of credit entries. RDFIs may assess entries after posting using behavioral analytics, velocity checks, or alert-based workflows.
Standardized Entry Descriptions
Two new Company Entry Descriptions become mandatory on March 20, 2026:
- PAYROLL: Required for all PPD credit entries used to pay wages, salaries, or similar compensation
- PURCHASE: Required for all e-commerce debit entries authorized by consumers for online purchases
These standardized descriptions enable more effective anomaly detection by allowing systems to identify mismatches—such as corporate SEC codes used for consumer accounts, or payroll credits to accounts with no history of wage deposits.
Phase Timeline and Applicability
Phase 1 — Effective March 20, 2026
| Participant Type | Volume Threshold (2023 Baseline) |
|---|---|
| ODFIs | All ODFIs (no volume threshold) |
| Non-consumer Originators, TPSPs, TPSs | 6 million or more ACH originations |
| RDFIs | 10 million or more ACH receipts |
Phase 2 — Effective June 19, 2026*
All remaining non-consumer Originators, TPSPs, TPSs, and RDFIs regardless of volume.
*Note: As June 19 is a federal holiday, the practical effective date is June 22, 2026.
Frequently Asked Questions
Q: Who is impacted by the March 20, 2026 (Phase 1) deadline?
A: Phase 1 impacts:
- All ODFIs regardless of volume
- Non-consumer Originators, Third-Party Service Providers (TPSPs), and Third-Party Senders (TPSs) with 6 million or more ACH originations in 2023
- RDFIs with 10 million or more ACH receipts in 2023
Phase 2 (June 2026) eliminates the volume thresholds and extends requirements to all remaining participants.
Q: What exactly does “False Pretenses” cover?
A: False pretenses covers scenarios where a payment is induced through misrepresentation of identity, authority, or account ownership. This includes Business Email Compromise (BEC), vendor impersonation, and payroll redirection—transactions that are technically “authorized” by the legitimate account holder but based on fraudulent information.
Note: This definition does not cover scams involving fake, non-existent, or poor-quality goods and services.
Q: Why are “PAYROLL” and “PURCHASE” labels now mandatory?
A: Standardized entry descriptions support risk-based monitoring by enabling pattern recognition. RDFIs can more easily identify anomalies such as SEC Code mismatches with account types (e.g., corporate codes on consumer accounts), unusual transaction velocity, or credits inconsistent with account history.
Q: Does the rule require real-time or pre-processing monitoring?
A: No. The rules do not require pre-posting monitoring of credit entries or screening of every transaction individually. Organizations may implement risk-based monitoring using post-settlement analysis, behavioral analytics, velocity checks, or alert-based workflows. The key requirement is that processes be “reasonably intended” to identify fraudulent entries.
Q: Are manual verification processes still compliant?
A: The Nacha Operating Rules do not prescribe specific processes or procedures. Organizations are permitted to establish a risk-based approach appropriate to their role in handling ACH entries. However, the rules do require that processes and procedures be reviewed at least annually and updated to address emerging threats. Whatever approach an organization takes should be documented and demonstrably designed to identify entries suspected of being unauthorized or authorized under false pretenses.
Q: What tools do RDFIs have to act on suspicious transactions?
A: RDFIs have several options:
- Delay funds availability using the exemption for entries suspected of being originated under false pretenses
- Consult the ACH Contact Registry to identify and contact the ODFI
- Return the entry using Return Code R17 with the descriptor “QUESTIONABLE”
These actions must occur within standard return timeframes.
Compliance Considerations
Organizations should consider the following areas as they prepare:
- Policy and Procedure Review: Establish or update written policies covering fraud monitoring processes, ensuring they address both unauthorized entries and entries authorized under false pretenses.
- Annual Review Requirement: Processes and procedures must be reviewed at least annually to address evolving fraud risks.
- Cross-Functional Communication: The rules encourage communication between compliance monitoring, operations, product management, and relationship staff.
- Vendor Solutions: In-house solutions are permitted, and vendor solutions are available to assist with monitoring.
- Documentation: Maintain documentation demonstrating that monitoring processes are reasonably designed to identify fraud risk.
Glossary
| Term | Definition |
|---|---|
| ACH (Automated Clearing House) | The electronic network that processes bank-to-bank payments in the U.S., handling direct deposits, bill payments, and business transactions. |
| Nacha | The organization that governs the ACH Network and establishes the operating rules all participants must follow. |
| ODFI (Originating Depository Financial Institution) | The bank or credit union that sends an ACH payment on behalf of its customer. If your organization initiates payments through your bank, your bank is the ODFI. |
| RDFI (Receiving Depository Financial Institution) | The bank or credit union that receives an ACH payment and posts it to the recipient’s account. |
| Originator | The company or government entity that initiates ACH payments—this is likely you if you process payroll, vendor payments, or collect payments via ACH. |
| TPSP (Third-Party Service Provider) | A company that provides ACH processing services on behalf of originators, such as payroll processors or payment platforms. |
| TPS (Third-Party Sender) | A type of TPSP that acts as an intermediary, originating ACH entries on behalf of other companies through an agreement with an ODFI. |
| SEC Code (Standard Entry Class Code) | A three-letter code identifying the type of ACH transaction (e.g., PPD for payroll, CCD for business-to-business, WEB for internet-authorized payments). |
| PPD (Prearranged Payment and Deposit) | The SEC code used for consumer transactions like payroll direct deposits or recurring bill payments authorized in advance. |
| Credit Entry | An ACH transaction that deposits money into an account (e.g., payroll, vendor payment). |
| Debit Entry | An ACH transaction that withdraws money from an account (e.g., bill payment, subscription charge). |
| Credit-Push Fraud | Fraud where a victim is tricked into sending money to a fraudster’s account—the payment is “pushed” from the victim. BEC and payroll diversion are examples. |
| BEC (Business Email Compromise) | A scam where criminals impersonate executives, vendors, or trusted parties via email to trick employees into sending payments to fraudulent accounts. |
| Payroll Diversion | A type of fraud where criminals pose as employees and request that direct deposit information be changed to route paychecks to accounts they control. |
| Mule Account | A bank account used by fraudsters to receive and move stolen funds, often opened using stolen or synthetic identities. |
| Return Code R17 | An ACH return reason code that RDFIs can use to return an entry they believe is fraudulent or questionable. |
| Regulation CC | Federal regulation governing funds availability—how quickly banks must make deposited funds available to customers. |
| ACH Contact Registry | Nacha’s secure directory where financial institutions can look up contacts at other institutions for fraud inquiries and return requests. |
Disclaimer
This document is provided for informational purposes only and does not constitute legal, financial, or compliance advice. While the information reflects the Nacha Risk Management Rules effective in 2026, organizations should consult with their legal counsel or a certified ACH Professional (AAP) to ensure their specific internal policies meet all regulatory requirements. The author and affiliated entities are not liable for any operational or financial losses resulting from the use of this information.
For authoritative guidance, refer to the official Nacha Operating Rules and the Nacha website at nacha.org.