ACH Network Overhaul: What March and June 2026 Deadlines Mean for Financial Institutions

NACHA (the National Automated Clearinghouse Association) has launched a multi-year regulatory roadmap extending through 2028 that overhauls the ACH network’s risk management framework in response to persistently high fraud rates and low recovery outcomes. 

The initiative, developed after extensive stakeholder consultations in 2022, introduces staggered rule implementations targeting credit-push payment fraud through enhanced detection protocols and improved fund recovery procedures. 

Compliance and risk teams should prepare for mandatory controls affecting the payment system that processes most US payroll, direct deposit and online purchase transactions, requiring organizations to restructure internal risk management processes to align with the new standards over the next four years.

New fraud detection rules for 2026

While NACHA participants already maintain fraud prevention and detection frameworks, 2026 amendments expand the scope of existing rules to strengthen institutional fraud monitoring and increase recovery rates. Among multiple rule changes, two critical requirements take effect in phased implementation during March and June 2026, based on institutions’ 2023 ACH origination and receipt volumes.

Standard company entry descriptions

The company entry description field allows originators to specify payment purpose, enabling institutions to identify and manage fraud risks. NACHA has established two new standardized descriptions effective March 20, 2026:

• PPD credits for wages, salaries and compensation must use “PAYROLL”
• E-commerce purchases must use “PURCHASE”

Enhanced fraud monitoring requirements

The 2026 rules expand fraud monitoring obligations across all network participants. Originating depository financial institutions (ODFIs), non-consumer originators, third-party service providers (TPSPs), third-party senders (TPSs) and receiving depository financial institutions (RDFIs) must establish risk-based processes to identify unauthorized transactions or those authorized under false pretenses, with annual reviews to address evolving risks.

Implementation timeline

Phase 1 (March 20, 2026):

• ODFIs, non-consumer originators, TPSPs and TPSs with 6 million or more annual ACH originations in 2023
• RDFIs with 10 million or more annual ACH receipts in 2023

Phase 2 (June 19, 2026):

• All other non-consumer originators, TPSPs and TPSs
• All other RDFIs

Financial Services

Is Your Compliance Framework Ready for ISO20022?

by Kevin Lee

March 3, 2025

How to handle new data elements and text-based tags in transaction screening systems

Read moreDetails

Key changes requiring institutional attention

Standardized entry descriptions

Effective March 20, 2026, institutions must implement standardized descriptions — “PAYROLL” for wage-related PPD credits and “PURCHASE” for e-commerce transactions — to improve fraud prevention and recovery. The amendments aim to reduce fraud in payroll and e-commerce transactions while enabling network participants to identify, monitor and count payments by purpose for enhanced risk management.

Risk assessment framework

NACHA requires all network institutions to adopt risk-based policies identifying fraud in both debit and credit ACH transactions. Institutions must establish robust risk assessment mechanisms at customer and transaction levels to ensure appropriate prioritization and risk-driven monitoring. The rule specifies that risk-based approaches cannot justify eliminating monitoring entirely; institutions must at minimum conduct risk assessments differentiating higher-risk from lower-risk transactions.

The rules mandate fraud monitoring but do not require pre-transaction monitoring, allowing institutions to conduct post-transaction investigations according to their risk appetite.

Expanded fraud detection scope

• RDFI inclusion: The 2026 amendments extend fraud monitoring requirements to RDFIs, which previously applied only to ODFIs, non-consumer originators, TPSPs and TPSs. Institutions must now enhance fraud monitoring coverage for receiving and credit transactions alongside originated ACH payments.
• False pretense detection: business email compromise (BEC), vendor impersonation, and payroll impersonation represent key focus areas for the 2026 amendments. The IC3 2024 Annual Report identified BEC as the seventh most reported crime to IC3 in 2024, with 21,442 complaints and $2.8 billion in losses, ranking second by dollar volume. The updated rules define “false pretense” as inducing payment through misrepresentation of identity, association with or authority to act for another party or account ownership, requiring additional fraud monitoring models and controls.
• Account validation: While NACHA’s March 19, 2021 rule requires organizations to validate first-use consumer account information for online-initiated consumer debit payments (WEB debits), the 2026 amendments extend account validation requirements for enhanced fraud monitoring and timely incident remediation and reporting.
• Information sharing: The 2026 rules mandate internal and external collaboration for enhanced fraud monitoring. Institutions must establish clear policies for internal coordination and inter-institutional collaboration using NACHA’s risk management portal and ACH contact registry to prevent fraud and improve recovery through external coordination.

Documentation and annual review

NACHA emphasizes clear documentation of fraud monitoring and investigation policies and procedures, requiring annual reviews to ensure effectiveness and relevance. The rules mandate that institutions create and maintain internal policies, while ODFIs must review third-party originators’ fraud monitoring processes and procedures.

Institutional impact

Payment processing system updates

Originators, TPSPs and ODFIs processing payroll and e-commerce transactions must update payment and downstream systems to align with required company entry descriptions. While the rule applies only to originating entities, including ODFIs, originators have no obligation to verify new entry description presence or accuracy. RDFIs may leverage intelligence from new descriptions but face no action requirements based on these descriptions.

Risk assessment and due diligence review

Know Your Customer (KYC) and due diligence processes, including event-driven reviews, serve as entry and change control points. Institutions must integrate KYC, risk assessment and due diligence systems with fraud management systems to ensure comprehensive monitoring and collaboration for new onboarding and ongoing changes. The risk-based monitoring approach requires institutions to assess vendors, customers and transactions systematically to identify and prioritize high-risk, high-impact fraud incidents and transactions.

Enhanced fraud detection tools

Institutions must develop robust fraud monitoring frameworks through enhanced detection rules and models or new model development aligned with NACHA requirements, particularly for false pretense scenarios and RDFI credit transactions. Institutions using third-party fraud detection tools may adopt out-of-the-box models or build customized detection layers meeting their specific requirements.

Third-party risk management changes

Vendor impersonation prevention represents a key objective of the amendments, requiring institutions to review vendor and third-party risk management policies, including contract management. Institutions should consider adding fraud monitoring and reporting requirements for third parties to ensure robust monitoring for externally originated transactions.

Beyond contract modifications, institutions must review ongoing vendor due diligence and risk oversight processes to align with enterprise fraud monitoring frameworks.

Investigation capacity expansion

RDFI credit transaction monitoring requirements represent a major operational change. New or modified models monitoring credit transactions may generate increased alert volumes, requiring additional investigator capacity to ensure timely investigation, disposition and remediation. Institutions should ensure skilled investigator availability for timely action.

Institutions may implement AI interventions to optimize and automate fraud investigation processes with appropriate guardrails and controls for robust, timely alert investigation.

Control design effectiveness

Institutions must modify applications, tools, models, policies, and procedures to meet new requirements. Beyond policy, system and model changes, institutions should review existing risk control designs and effectiveness. Compliance teams should assess existing control suitability and effectiveness, designing new controls aligned with changes and institutional risk appetite.

Following control design, institutions should conduct periodic testing, including fraud monitoring model validation, to ensure ongoing effectiveness and compliance.

Policy development and tracking

NACHA requires all institutions to create and maintain comprehensive fraud monitoring policies and procedures covering fraud prevention, detection, investigation and reporting, regardless of existing framework differences. Ongoing compliance requires periodic review mechanisms, with minimum annual reviews ensuring policy and procedure updates align with current fraud dynamics and regulatory requirements.

Conclusion

While new NACHA 2026 rules primarily focus on bringing standardized entry descriptions for payroll and e-commerce transactions and enhancing fraud monitoring for the institutions, the downstream effect of these changes extends to several other related areas, such as KYC/due diligence, vendor management, data services, model risk management and control testing. 

As the key objective of the rules is to build a collaborative comprehensive fraud monitoring framework across network institutions, it is imperative for all the originating and receiving institutions to align their systems, fraud monitoring policies and procedures with NACHA requirements, ensuring prevention of fraud by safeguarding customers with the help of right and timely identification, investigation and recoveries of fraud proceeds.