What are the changes in the ACH rule in 2026?

The Nacha 2026 rule changes require businesses and financial institutions to implement risk-based monitoring processes for ACH transactions and will roll out in phased stages. Key updates include: The “commercially-reasonable” standard is replaced with a requirement for documented, risk-based processes and procedures to detect unauthorized or false-pretenses entries. Expanded responsibility across the ACH network: Originators, Third-Party Service Providers (TPSPs), Third-Party Senders (TPSs), ODFIs and RDFIs will all be required to monitor for both credits and debits. Updated Company Entry Descriptions for ACH files: e.g., “PAYROLL” for wages, “PURCHASE” for e-commerce, to improve description standardization. Documentation, annual review and audit trails will be required to demonstrate compliance with the revised rules

What are the rules and regulations for ACH?

ACH (Automated Clearing House) payments in the U.S. are governed by the Nacha Operating Rules, which define roles, responsibilities and data standards for network participants. The main regulatory elements include: Originator, ODFI and RDFI obligations: each party must process entries in accordance with rules regarding authorization, formats, returns and risk controls. SEC Codes and entry descriptions: Standard Entry Class (SEC) codes identify payment types (e.g., CCD, PPD, WEB) and must align with the transaction. Fraud monitoring and risk management: Participants must implement monitoring systems to detect unauthorized entries and maintain audit documentation. Data standards and return timeframes: Rules set requirements for data fields, formats, and return reason codes (e.g., R17 for fraud) to manage risk and revocation.

What are the 2 phases of NACHA 2026 fraud-monitoring rules?

The 2026 fraud-monitoring rules roll out in two phased stages: Phase 1 (effective March 20, 2026): Applies to all ODFIs plus non-consumer Originators, TPSPs and TPSs with 2023 origination volume ≥ 6 million entries; and RDFIs with 2023 receipt volume ≥ 10 million. Phase 2 (effective June 19/22, 2026): Extends the requirement to all remaining non-consumer Originators, TPSPs, TPSs and RDFIs, regardless of volume.

What are the new 2026 NACHA rules and how do they affect businesses?

IN THIS ARTICLE

Like it? Share it

To comply with the 2026 NACHA requirements, users of the ACH payment network have to implement better fraud controls by putting more efficient detection and monitoring systems in place. This impacts non-consumer originators and businesses that send and receive on the electronic payments network, requiring risk-based controls. Coming into force in 2026, firms must prepare for the NACHA 2026 ach rule changes in order to meet these requirements.

Learn about these changes, and how to operate within the boundaries of the new risk management rules by implementing tools like Trustpair for automated vendor payment-fraud prevention.

NACHA 2026 rules key takeaways

Incoming NACHA rules in 2026 require payment originators to put risk-based procedures in place to better monitor payments for fraud
All businesses using the network must pay attention to the new rules in order to avoid fines, compliance penalties and reputational damage
Firms should implement risk based processes under their fraud detection systems to identify gaps and detect anomalies
Include account validation, change management and fraud prevention tools in your process for comprehensive compliance and protection

What are the new 2026 NACHA rules?

The new NACHA rules in phase one, with a deadline of 20th March 2026, are:

Fraud monitoring by Originating Depository Financial Institutions (ODFIs), large originators, Third Party Service Providers (TPSPs) and Third Party Senders (TPSs): these organizations must implement procedures and risk-based processes to monitor transactions and identify ACH entries initiated by fraud.
ACH credit monitoring by large RDFIs (Receiving Depository Financial Institution): receiving account banks with annual ACH receipt volume of at least 10 million (in 2023) must monitor incoming credit entries for fraudulent activity.
New company entry descriptions: payroll and purchase: two standardized codes for the Company Entry Description field in certain ACH entries, (not applicable for vendor payments). ‘Payroll’ is the description for all Personal Professional Development (PPD) credits for wages, salaries and compensation. And ‘purchase’ is the description for e-commerce purchase websites.

The 22nd of June 2026 is the phase two deadline, and includes the following operating rule changes:

Fraud monitoring by all other originators, TPSP and TPS: NACHA requirements for risk-based fraud detection processes and procedures to all originators, TPSPs, TPSs, regardless of origination volume
ACH credit monitoring by all other RDFIs: All RDFIs (regardless of volume) must have processes in place to monitor incoming credit entries for fraud

There are two 2026 effective dates of implementation:

20th March 2026 is the phase one deadline,
22nd of June 2026 is the phase two deadline.

Why are the new NACHA rules important?

It’s important that businesses pay attention to the new NACHA governance rules because they affect almost every business in the US. In fact, any organization that processes electronic payments, either by capturing credit and debit card transactions from customers, or even paying staff through payroll, are concerned.

The new rules are also important for:

Standardizing fraud prevention strategies across the industry, no matter the business size
Ensuring that partners and customers can expect a minimum level of protection
Improving early detection of suspicious payment activity through risk assessments to see current capabilities and possible vulnerabilities
Enabling more accurate transaction labelling, which should lead to better detection

Who needs to comply with NACHA rules?

All ACH network participants must comply. Three types of businesses need to comply with the new 2026 NACHA rules:

Businesses that initiate ACH transactions
Financial institutions that receive deposits via the ACH network into their customer accounts
Third parties that provide services within the ecosystem (fintechs), such as payment processors and payroll providers

Although it’s the financial institutions that have primary compliance responsibility, all businesses that are participating in the ACH system have a responsibility to follow the rules.

NACHA, which stands for the National Automated Clearing House Association, regulates the ACH payments network across the United States. The regulatory body enforces the rules that keep the network available, secure and efficient.

What happens if a business doesn’t comply with NACHA rules?

If a business fails to comply with NACHA rules, the risks of fraud and enforcement action are significant:

Greater risk of fraud or unauthorized payments
Financial losses and reputational impacts such as harm to customer trust levels and third party relationships
Damaged service relationships between the business and its bank, which could lead to the freezing of payment services or other account restrictions
Potential fines from NACHA itself – this is typically sent to the financial institution that processes the payment, which may then choose to pass the fine onto the non-compliant business

How do NACHA rules relate to fraud prevention?

NACHA rules relate to fraud prevention because payment fraud has risen significantly in the US across the last decade, much of which has been perpetrated on the ACH network. These new rules have been introduced to add more verification and therefore protection for vendors and customers alike.

NACHA currently prevents fraud by requiring companies to screen debits and micro-entires, but the updates provide a broader overview.

We recommend that companies use NACHA rules as part of their wider vendor onboarding process, authenticating the payment details of their partners and suppliers. Even with these updates, ACH fraud risks exist: it’s important that companies go further to secure their supplier onboarding.

At Trustpair, we secure and streamline vendor onboarding by leveraging a unique account validation methodology. Go beyond the rules aimed at NACHA compliance and protect your entire supply chain with simplified account ownership verification.

How can businesses be NACHA 2026 compliant?

Here’s a step-by-step guide to become NACHA compliant:

Account validation: at the start of every new client relationship, you should automatically verify the existence and ownership of the payment and business accounts.
Change management: ongoing account monitoring is required to ensure that as details change, your company remains secure. This covers bank account access, ownership, contact details and even geographical details. Trustpair performs ongoing vendor monitoring as a direct response to fraudulent bank account change requests.
Fraud prevention tools: screening for suspicious activity is an important part of continued NACHA compliance. Businesses must build this, alongside tools like compliance checklists, into their process for confidence in compliance.

A summary on the new NACHA rules

The new NACHA rule amendments relate to fraud monitoring as organizations send and receive payments through the ACH network. In 2026, businesses will be required to comply by putting risk-based procedures in place to identify fraudulent entries, verify and monitor activity. Trustpair aids compliance as a secure solution for fraud prevention, thanks to automated account validation.

FAQ

Frequently asked questions

Browse through our different sections and find the answer to your question.

The Nacha 2026 rule changes require businesses and financial institutions to implement risk-based monitoring processes for ACH transactions and will roll out in phased stages. Key updates include:

The “commercially-reasonable” standard is replaced with a requirement for documented, risk-based processes and procedures to detect unauthorized or false-pretenses entries.
Expanded responsibility across the ACH network: Originators, Third-Party Service Providers (TPSPs), Third-Party Senders (TPSs), ODFIs and RDFIs will all be required to monitor for both credits and debits.
Updated Company Entry Descriptions for ACH files: e.g., “PAYROLL” for wages, “PURCHASE” for e-commerce, to improve description standardization.
Documentation, annual review and audit trails will be required to demonstrate compliance with the revised rules

ACH (Automated Clearing House) payments in the U.S. are governed by the Nacha Operating Rules, which define roles, responsibilities and data standards for network participants. The main regulatory elements include:

Originator, ODFI and RDFI obligations: each party must process entries in accordance with rules regarding authorization, formats, returns and risk controls.
SEC Codes and entry descriptions: Standard Entry Class (SEC) codes identify payment types (e.g., CCD, PPD, WEB) and must align with the transaction.
Fraud monitoring and risk management: Participants must implement monitoring systems to detect unauthorized entries and maintain audit documentation.
Data standards and return timeframes: Rules set requirements for data fields, formats, and return reason codes (e.g., R17 for fraud) to manage risk and revocation.

The 2026 fraud-monitoring rules roll out in two phased stages:

Phase 1 (effective March 20, 2026): Applies to all ODFIs plus non-consumer Originators, TPSPs and TPSs with 2023 origination volume ≥ 6 million entries; and RDFIs with 2023 receipt volume ≥ 10 million.
Phase 2 (effective June 19/22, 2026): Extends the requirement to all remaining non-consumer Originators, TPSPs, TPSs and RDFIs, regardless of volume.

You’d like these articles

Treasury Management

8 min

What is the purpose of the Treasury Department in a Business?

Payments

5 min

Wire Transfer Compliance: What it is and why it matters?

Compliance and Regulation

9 min

What are anti-fraud laws and regulations and why are they essential for businesses?