NACHA (National Automated Clearing House Association) Rule Changes 2026

This is a mandated rule by NACHA that affects all financial institutions that have business customers who originate ACH transactions.

“False Pretenses” refers to fraud scenarios where a payment is authorized based on an act of deception. This is a crucial addition to the NACHA rules because it covers many of the most damaging fraud schemes today, including:

• Business Email Compromise (BEC): A fraudster impersonates an executive or vendor via email to instruct an ACH payment to a fraudulent account
• Impersonation: A fraudster calls or emails to trick an employee into changing payment information for a legitimate vendor or employee

 

Here are some specific examples of what “false pretenses” might look like:

 

• A fraudster gets someone’s login info and makes a payment from their account.
• A fraudster lies about who they are or who owns the account receiving the money.
• A fraudster pretends to be the CEO or CFO and tricks someone into making a payment.
• A fraudster pretends to be a vendor and asks for payment.
• A fraudster pretends to be a real estate agent or attorney and asks for money.
• A fraudster pretends to be an employee and asks for payment.
• A fraudster gets into a company’s payroll system and changes where the money goes.

• Verify, verify, verify: Always double-check the identity of anyone requesting payment, especially if it’s unexpected. Call the person or organization directly using a known phone number, not one provided in a suspicious email or text.
• Be cautious of urgent requests: Scammers often try to create a sense of urgency to pressure you into acting quickly without thinking. Take your time and verify the legitimacy of the request.
• Watch out for inconsistencies: Look for anything that seems out of place, such as an unusual email address, poor grammar or spelling, or a sudden change in payment instructions.
• Use strong passwords and two-factor authentication: This can help protect your accounts from unauthorized access.
  Educate yourself and your employees: Make sure everyone in your organization is aware of false pretenses scams and how to avoid them.
• Keep software updated: Regularly updating your operating system and security software can help protect against malware and other threats.
• Review account activity: Monitor your bank and credit card statements regularly for any suspicious activity.
• Report suspicious activity: If you think you may have been a victim of a false pretenses scam, report it to your bank and the authorities immediately.

Effective fraud monitoring processes must be layered and tailored to your business. What you monitor should depend on your specific ACH transactions (e.g., payroll vs. vendor vs. collection of customer payments).

 In addition to the rule’s requirements, your program should consider:

• Unauthorized Withdrawals: How can you prevent external parties from pulling money without permission?
• Compromised Credentials: How can you protect your internal systems used for managing payment information and activity?
• Change Request Fraud: How can you verify the authenticity of payment instruction changes?

It is important to remember that your ACH fraud monitoring processes are unique to your business. The processes you implement must be tailored to your specific structure, payment volume, and unique fraud risks. The examples provided below are for informational guidance only – they are a starting point, not a complete checklist. Your unique fraud monitoring processes may include a combination of the following procedural and technical controls:

• Dual Authorization/Segregation of Duties: Requiring at least two separate individuals to authorize high-dollar payments or ACH files. No single person should be able to create, approve, and release a payment
• Out-of-Band Verification: When receiving an email request for a bank account change (vendor or employee), verifying the change via a trusted secondary channel (e.g., a phone call to a known number on file, not the number listed in the suspicious email)
• System Controls and Anomaly Detection: Utilizing your internal accounting or payment systems to automatically flag or alert you to unusual activity, such as:
  • • Payments to a new vendor that exceed a set dollar threshold
    • Sudden increases in transaction volume or amount outside of normal business patterns
    • Unusual payment destinations (e.g., high-risk geographical locations)
• Strong Access Controls (MFA): Limiting the number of employees who have access to your ACH origination system and enforcing Multi-Factor Authentication (MFA) for all users to protect against compromised login credentials
• Dedicated Payment Workstations: Restricting the computers used to initiate or approve ACH payments from being used for high-risk activities like opening external email attachments or general web browsing
• Formal Fraud Incident Response Plan: Maintaining a clear, documented plan that specifies the immediate steps to take if fraud is detected.
• Mandatory, Continuous Employee Training: Implementing regular (e.g., quarterly) training for all staff involved in payments to recognize, question, and independently authenticate suspicious requests (a key defense against social engineering)

No. This rule is a compliance standard for Originators, Third-Party Senders, and all Financial Institutions. It establishes a requirement for all Originators to have active, risk-based fraud monitoring. It does not change the fundamental allocation of liability for fraud under existing law, but it does require you to strengthen your controls to mitigate these risks.

We urge you to begin assessing your current fraud controls regarding ACH transactions. This rule mandates that all Originators establish processes and procedures to identify fraud. Your processes and procedures need to be tailored to fit your specific ACH transactions.

Going forward we will incorporate your fraud monitoring processes into your annual review unless changes to your ACH service require an earlier review.