Nacha's ACH Fraud Rules Put Smaller Payment Users on a June 22 Monitoring Deadline

Nacha's second phase of ACH fraud-monitoring rules is now reaching the smaller businesses, fintech processors, service providers and receiving banks that did not fall into the first high-volume compliance group. The formal effective date was June 19, but Nacha says the practical deadline is Monday, June 22, because June 19 was a federal holiday.

The change matters because ACH is still one of the core payment rails behind payroll, vendor payments, account funding, refunds, bill pay and business-to-business transfers in the United States. Nacha says the ACH Network processed 35.2 billion payments worth $93 trillion in 2025, so even a rule that sounds procedural can change the operating burden for banks, payment processors, treasury teams and software platforms that move money through ACH.

The practical market question is not whether ACH users should care about fraud. They already do. The sharper question is who now has to prove, document and regularly review fraud controls when a payment looks authorized but was induced by deception.

What changed

Nacha's Phase 2 rule extends fraud-monitoring obligations to all remaining non-consumer ACH originators, third-party service providers and third-party senders that were not captured by the March 20 high-volume threshold. It also extends ACH credit-monitoring requirements to all remaining receiving depository financial institutions.

The rule language is deliberately risk-based. Covered parties must establish and implement processes and procedures reasonably intended to identify ACH entries initiated due to fraud. Nacha says the requirements should be applied based on the role each party plays, and it does not require monitoring before every payment is processed.

That flexibility is important, especially for smaller companies and community institutions. A small nonprofit sending occasional payroll and vendor payments does not need the same fraud stack as a national processor. But it does need a documented way to spot suspicious payment changes, unusual activity, account anomalies and potential false-pretense transactions.

Why ACH fraud risk is changing

The rule is aimed at a type of fraud that older payment controls often handled poorly: credit-push fraud. In those schemes, the victim authorizes the payment, but does so because someone misrepresented an identity, authority or ownership of the account being credited. Vendor impersonation, business email compromise and payroll diversion are common examples.

That distinction matters because many traditional ACH controls were built around unauthorized debits or return-rate problems. Credit-push scams can look clean in a narrow payment file because the sender intended to initiate the transfer. The defect is in the instruction, the beneficiary change or the deception behind the authorization.

Federal Reserve Financial Services framed the same operational issue in its FedACH guidance: regular fraud detection monitoring helps establish normal activity baselines, making atypical activity easier to identify. That is the heart of the shift. ACH compliance is moving closer to transaction behavior, payee-change controls and exception workflows, not just file submission rules.

Who gains leverage

Banks and payment processors gain more room to demand stronger controls from business customers and platform partners. If an originating bank is responsible for ACH risk, it has a clearer reason to ask how a payroll provider, accounts-payable platform, marketplace, lender or fintech app verifies account ownership, reviews payment changes and investigates suspicious activity.

Fraud, identity and payments-infrastructure vendors also gain a practical selling point. Plaid, Bottomline and other payments providers have already framed the rule as a reason for companies to formalize account ownership checks, anomaly detection, velocity monitoring, return-rate tracking and annual control reviews. That does not mean every business needs a new vendor, but it does make manual-only controls harder to defend as ACH volume grows.

The parties facing new pressure are smaller ACH originators and receiving banks that may not have treated ACH fraud monitoring as a formal program. For them, the near-term cost is not just technology. It is documentation, staff training, escalation design, legal and compliance coordination, and the ability to show a bank or auditor what happens when a suspicious payment pattern appears.

What remains unclear

The rule does not mandate a specific system, dollar threshold, model, vendor or pre-processing review. That is sensible for a network used by companies of very different sizes, but it leaves room for uneven implementation. Two businesses can both be compliant while using very different controls, as long as their processes are risk-based, documented and reviewed.

There is also an effectiveness question. Nacha says receiving banks may use information such as transaction velocity, SEC code mismatch, account age and account history to identify suspicious ACH credits. But the rule does not make every suspicious credit reversible, and Convera notes that receiving banks are not required to return a payment simply because an originating bank requests it. Faster communication can improve recovery odds, but it does not guarantee recovery.

The commercial limit is equally important. Smaller merchants, nonprofits and businesses may understand the fraud problem but still struggle to build durable controls if their accounting systems, bank portals and payment vendors do not make suspicious-change review easy. The rule creates a compliance floor; the user experience will depend on whether banks and fintech platforms turn that floor into practical workflow.

What to watch next

The first checkpoint is how banks update ACH onboarding and annual reviews for business customers. Watch whether ODFIs ask for written fraud-monitoring procedures, payee-change controls, account-verification steps and escalation contacts as standard documentation.

The second checkpoint is vendor behavior. Payments platforms, treasury software providers, payroll processors and accounts-payable tools are likely to add more visible ACH fraud controls, including account ownership checks, approval trails, velocity alerts and return-rate dashboards.

The third checkpoint is measurable fraud and recovery performance. Nacha's rule is designed to reduce successful fraud attempts and improve fund recovery after fraud occurs. Over the next several quarters, the most useful signs will be changes in ACH return patterns, bank response times, documented false-pretense cases, RDFI alert quality and whether smaller ACH users can comply without slowing legitimate payments.