Nacha has instituted a series of ACH rule changes focused on fraud detection and prevention, particularly as related to credit push or authorized push payment (APP) fraud. 
 

These rule changes now require:
 

• Fraud monitoring by Originators, Third-Party Service Providers (TPSPs) and Originating Depository Financial Institutions (ODFIs)
• Receiving Depository Financial Institution (RDFI) ACH credit monitoring
• Standard Company Entry Description – PAYROLL
• Standard Company Entry Description – PURCHASE
• The new rules go into effect in a phased manner in March and June 2026.
• Every bank and credit union needs to prepare now to ensure compliance. 

When Nacha proposed its Risk Management Topics package, the ACH governing body put in motion one of the largest changes to the Nacha Operating Rules in 20 years. These new requirements—designed to protect against increasing fraud, particularly credit push or authorized push payment (APP) fraud—tighten up ambiguities and clarify ACH transaction monitoring. They open the door for banks and credit unions to consider new solutions—like account validation —for maintaining compliance.
 

In addition, for the first time, the rules put fraud detection requirements on ACH receiving depository financial institutions (RDFIs). It is a major shift for banks and credit unions who only receive ACH payments, meaning new approaches will need to be in place to ensure that RDFIs meet the compliance requirements around having “risk-based processes and procedures designed to identify credit Entries initiated due to fraud.” 
 

Here’s what every bank and credit union leader needs to know – before it’s too late. 

According to Nacha, “These Rule amendments related to monitoring for fraud are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.” Specifically, the rule changes include:
 

• Fraud monitoring by Originators, Third-Party Service Providers (TPSPs) and Originating Depository Financial Institutions (ODFIs) – This rule requires all ODFIs and each non-consumer Originator, Third-Party Service Provider, and Third-Party Sender to “establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.”
   
• Receiving Depository Financial Institution (RDFI) ACH credit monitoring – A large shift in approach, for the first time, RDFIs are being held responsible for fraud monitoring. Specifically, as mentioned above, they need to “establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud.”
   
• Standard Company Entry Description – PAYROLL – This rule “establishes a new standard description for PPD Credits for payment of wages, salaries and similar types of compensation. The Company Entry Description field must contain the description PAYROLL.” Its goal is to reduce fraud around payroll misdirection.
   
• Standard Company Entry Description – PURCHASE – This rule “establishes new standard description for e-commerce purchases; the Company Entry Description field must contain the description PURCHASE.” The main objective in its implementation is to enable the identification of e-commerce transactions to help standardize the use of data and support parties in managing risk and improving ACH quality.

Authorized Push Payment (APP) fraud also called credit push fraud continues to rise, and estimates show that by 2028, U.S. losses will exceed $3 billion. In addition, in its latest fraud survey, the Association for Financial Professionals reported that 50% of businesses experienced ACH credit fraud in 2024

Credit push fraud - referred to as "authorized push payment" (APP) fraud in the context of ACH and similar rails - occurs when a fraudster tricks a victim (either a business or consumer) into initiating a legitimate ACH credit transfer to an account controlled by the fraudster. The defining feature is that the transaction is authorized by the account holder, not initiated by the criminal through account takeover or theft.

The new Nacha rules are designed to address these concerns and have been in development for years. In fact, in September 2022, Nacha released a new risk management framework that set the stage for these new rules.  

The suite of risk management rule changes will be implemented in a phased approach over March and June 2026. Specifically: 

March 20, 2026
 

• Fraud Monitoring by ODFIs
• Fraud Monitoring by Originators, TPSPs, and TPSs with annual ACH origination volume of 6 million or greater in 2023 (Phase 1)
• ACH Credit Monitoring by RDFIs with annual ACH receipt volume of 10 million or greater in 2023 (Phase 1)
• New Company Entry Descriptions – PAYROLL and PURCHASE
   

June 22, 2026
 

• Fraud Monitoring by all other Originators, TPSP, and TPS
• ACH Credit Monitoring by all other RDFIs

Now’s the time to start preparing to ensure you can meet compliance requirements for implementation. Key steps to take today, include:
 

• Assess your 2023 ACH volume. ODFIs, you will need to determine if you had an ACH origination volume of 6 million or greater in 2023, which makes you a candidate for the March 20, 2026 implementation. Similarly, RDFIs, you will need to evaluate if you had a 2023 annual ACH receipt volume of 10 million or greater, which makes you a candidate for the March 20, 2026 implementation.
   
• Evaluate current fraud controls and how they align with the new rules. For ODFIs, consider if your current fraud monitoring systems meet Nacha’s requirements for identifying fraudulent entries. For RDFIs, consider how you will establish and implement ACH credit monitoring.
    
• Determine where you have gaps in compliance. Take a hard look at your internal controls as they compare to these rules and identify ways to bolster systems to remain in compliance.
   
• Reach out to partners to determine available solutions. Check with your processor and provider partners about solutions that are prewired and baked into their ACH processing.

Option 1: Direct integration with fraud tech providers
 

• Upside: Full freedom to choose your partner and customize detection models.
   
• Downside: Legacy ACH cores weren’t designed for easy third-party integration. That means long projects, performance headaches, and ongoing IT lift to keep things stable.

Option 2: Pre-wired fraud integrations via ACH processors (e.g., Finzly)
 

• Upside: Modern ACH processors are built for plug-and-play, with pre-integrated fraud detection partners already embedded. This removes the complexity of retrofitting fraud tools into older rails.
   
• Faster to market: Because the integrations are ACH-native and API-first, compliance deadlines can be met quickly without re-engineering legacy systems.
   
• Operational simplicity: Monitoring, vendor updates, and performance tuning are already handled in the processor’s ecosystem.
   
• Future-ready: As fraud vendors evolve, new integrations get added into the processor’s catalog—keeping banks current without another round of heavy IT work.
   
• Trade-off: You may not have unlimited vendor choice, but for most banks the benefits of a modern, modular ACH processing far outweigh the rigidity of legacy systems.

Nacha provides insights into these new rules on its website, but for banks and credit unions to ensure compliance readiness, they should speak with payments partners. Your partners can help you identify the solutions that will seamlessly help you in meeting these new requirements.
 

For more on Finzly’s advanced built-in ACH fraud detection and monitoring capabilities, reach out to our payments experts.