RISK MANAGEMENT TOPICS – (Fraud Monitoring Phase 2)
Effective Date - June 19, 2026
These Rule amendments related to monitoring for fraud become effective on June 19, 2026 and are part of a larger Risk Management package intended to reduce the incidence of successful fraud attempts and improve the recovery of funds after frauds have occurred.
Details
Included in this portion of the Risk Management Rule amendments are the Phase Two requirements related to:
- Fraud Monitoring by Originators, Third-Party Service Providers/Third Party Senders and ODFIs; and
- ACH Credit Monitoring by RDFIs.
Technical
Fraud Monitoring by Originators, TPSPs and ODFIs
(Effective date - Phase 2: June 19, 2026 for all non-Consumer Originators, TPSPs, and TPSs that did not fall under the requirement threshold for Phase 1.)
This rule amendment will require all non-Consumer Originator, Third-Party Service Provider, and Third-Party Sender that did not fall under the requirement threshold for Phase 1, to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.
- The amendment is intended to reduce the incidence of successful fraud attempts.
- Regular fraud detection monitoring can establish baselines of typical activity, making atypical activity easier to identify.
The Nacha Rules currently require Originators to use a commercially reasonable fraudulent transaction detection system to screen WEB debits and when using Micro-Entries.
- These rules are intended to reduce the incidence of unauthorized debits resulting from transactions initiated online, which can experience increased volume and velocity.
These current requirements do not encompass any other transaction types, and so do not currently apply to other types of debits or to any credits other than Micro-Entries.
- However, the existing Nacha Board policy statement “urges that all participants implement adequate control systems to detect and prevent fraud.”
Several changes were made from the original proposal that was issued in a Request for Comment in May 2023.
- Eliminates use of “commercially reasonable” as a standard.
- Replaces “detection system” with “processes and procedures.”
- Provides a next level description of requirements – i.e., “reasonably intended to identify…”
- Provides that the requirements apply “to the extent relevant to the role the entity plays.”
- Allows an ODFI to expressly consider steps that other participants in origination are taking to monitor for fraud in designing its own processes and procedures.
- Clarifies that monitoring is not required pre-processing.
- Requires a review of processes and procedures “at least annually.”
RDFI ACH Credit Monitoring
(Effective date - Phase 2: June 19, 2026 for all RDFIs that did not meet the threshold requirement for Phase 1.)
The amendment will require all RDFIs that did not meet the requirement threshold for Phase 1 to establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud.
- RDFIs have a view of incoming transactions as well as account profile information and historic activity on Receivers’ accounts.
- A risk-based approach to monitoring can consider factors such as transactional velocity, anomalies (e.g., SEC Code mismatch with account type), and account characteristics (e.g., age of account, average balance, etc.). This aligns with AML monitoring practices in place today.
- Based on its monitoring of incoming credits, an RDFI may decide to return an entry or contact the ODFI to determine the validity of a transaction.
This rule is intended to reduce the incidence of successful fraud and better enable the recovery of funds when fraud has occurred.
- The rule aligns with an institution’s regulatory obligation to monitor for suspicious transactions.
- The rule does not require pre-posting monitoring of credit entries.
ACH transaction monitoring may be happening currently within RDFIs. This amendment encourages the necessary communication between compliance monitoring, operations, product management, and relationship staff. Solutions may be developed in-house. Vendor solutions have emerged on the market to assist in monitoring received payment activity.
Similar to Third-Party Senders, any entity that performs a function of an RDFI in delivering transactions to a Receiver should implement monitoring and detection controls based on the functions performed.
Several changes were made from the original proposal that was issued in a Request for Comment in May 2023.
- Eliminates use of “commercially reasonable” as a standard.
- Replaces “detection system” with “processes and procedures.”
- A risk-based approach to fraud monitoring enables RDFIs to apply resources based on risk assessment for various types of transactions.
- Provides a next level description of requirements – i.e., “reasonably intended to identify…”
- Clarifies that monitoring is not required pre-processing.
- Requires a review of processes and procedures “at least annually.”
False Pretenses
These new Rules also include references to a newly defined term, False Pretenses:
- the inducement of a payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”
This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and other payee impersonations, and complements language on “unauthorized credits” (account takeover scenario). It does not cover scams involving fake, non-existent or poor-quality goods or services.
Impact
Fraud Monitoring by Originators, TPSPs and ODFIs
Effective dates
- Phase 1 – March 20, 2026
- The rule will apply to all ODFIs
- The rule will apply to non-Consumer Originators, TPSPs, and TPSs with annual ACH origination volume of 6 million or greater in 2023
- Phase 2 – June 19, 2026
- The rule will apply to all other non-Consumer Originators, TPSP, and TPS
Anticipated benefits
- Expanding fraud detection responsibilities to more parties in the ACH Network provides additional opportunities to detect and prevent fraud, especially for frauds that make use of credit-push payments.
- Reducing the incidence of successful fraud and improving the quality of transactions in the ACH Network.
Potential impacts
- Implementing or updating fraud-detection processes and procedures, particularly by organizations that are not currently performing fraud monitoring.
- Less impact for those who have already implemented a monitoring system for WEB Debits or Micro-Entries.
RDFI ACH Credit Monitoring
Effective dates
- Phase 1 – March 20, 2026
- The rule will apply to RDFIs with annual ACH receipt volume of 10 million or greater in 2023.
- Phase 2 – June 19, 2026
- The rule will apply to all other RDFIs.
Anticipated Benefits
- The amendment is intended to reduce the incidence of successful fraud and improve the recovery of funds when fraud has occurred.
- Identifying fraud or potentially fraudulent transactions will better enable an RDFI to exercise heightened scrutiny of accounts that are receiving such transactions.
Potential Impacts
- RDFIs will need to either establish processes and procedures reasonably intended to identify Entries that are suspected of being unauthorized or authorized under False Pretenses or ensure that existing processes and procedures are satisfactory for this requirement, including updating such systems and their alerting processes, if necessary.
- RDFIs may need to enable information sharing internally between teams that monitor transactions for suspicious activity and operations, product, and relationship teams.
- While potentially significant, these impacts are intended to reduce the incidence of fraud that uses ACH payments.
For information on ACH Rules, please visit: www.nacha.org/newrules.