Are you fully prepared to comply with the fast-approaching new Nacha Risk Management Rules? While it may seem like there is still ample time, the truth is that you should already be well into your readiness process. The risks of non-compliance are not to be underestimated, so don’t let compliance paralysis hinder your organization. Act now to prevent these risks from escalating. 

What are the New Rules? 

For Originating Depository Financial Institutions (ODFIs)

On March 20, 2026, Phase One of the risk management rules will go into effect. The essence of this new rule set is that ODFIs with 2023 ACH origination volumes of 6 million or greater must establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud. 

For Receiving Depository Financial Institutions (RDFIs)

On March 20, 2026, RDFIs with an annual ACH receipt volume of 10 million or greater in 2023 will need to establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud. 

The requirement to have processes and procedures in place extends to all participants, regardless of volume, on June 22, 2026. In addition, the Rules establish a new Standard Company Entry Description for PPD Credits, including payment of wages, salaries, and similar types of compensation, as well as a new Standard Company Entry Description for WEB Debits for e-commerce purchases. 

For more on the new Rules, see Nacha’s website. 

What is the Impact?

For ODFIs

ODFIs must review their processes for screening outbound ACH originations and determine whether their controls are adequate to identify and stop Entries that may have originated under False Pretenses, as well as other fraud scenarios. A key aspect of compliance for ODFIs is determining which transactions and activities pose the highest risk, and establishing baselines for transaction activity to identify unusual or anomalous activity. The responsibility to monitor originated transactions extends to all origination activity, including that of Originators and Third-Party Senders. This means that the ODFI is also responsible for ensuring its Originators’ and Third-Party Senders’ compliance with these Rules. The ODFI should also communicate any expectations it has, above and beyond the Rules, to these parties. 

Originators and Third-Party Senders should establish risk-based processes reasonably designed to identify potential fraud scenarios, to stop these transactions before they are submitted to the ACH Network. Understanding the degree of risk associated with originating Entries, as well as establishing a baseline for normal activity, is a critical part of the process. In addition, control processes should be formalized and account for any potential area of risk. Originators and Third-Party Senders must also comply with any requirements imposed by their ODFI. 

For RDFIs

RDFIs must review their processes for incoming credits, assess the risk of these Entries, evaluate current monitoring processes, and decide on additional monitoring and response activities. 

Complying with the new Rules will benefit from collaboration among multiple groups within the RDFI to ensure proactive action when a customer/member receives funds that may be part of a credit-push fraud scenario. Although there is no formal requirement for RDFIs to identify these scenarios before posting to the Receiver account, the intent is to increase the chance of recovery, so timely identification and RDFI action should be a critical part of compliance action plans. 

The new Rules also don’t require a formal name-matching process. However, institutions may want to use that scenario, along with other factors such as baseline deposit activity, unusually large dollar amounts or an abnormally high number of deposits, Standard Entry Class Code (SEC) and account purpose mismatches, and immediate withdrawal of funds, transactions from higher risk Originators/industries, etc., to identify potential high-risk transactions. 

Additional research and internal collaboration, along with customer/member discussions, may be needed. The RDFI can also suspend ACH funds availability and default to Reg CC requirements if it feels that the Entries warrant additional time and research. 

How to Comply

So, now that you know the what, how should you get started? And what is a risk-based process and procedure? 

The Nacha Rules are intentionally written to provide the industry with flexibility in their adoption. Not all organizations are the same; your processes should be as unique as your company. That said, some baseline activities can help your organization get started. 

Conduct a Risk Assessment – Risk assessments should be a mantra in financial services, and that’s because they are an essential and critical tool. Review your existing fraud monitoring processes. Are they proactive? Do they account for various degrees of transaction risk? Are they designed to be proactive versus reactive? 

Document and Update Your Existing Process – Are your processes formalized? Have they been updated recently? Are you accounting for an evolving threat landscape? Are you considering credit-push fraud scenarios and strategies to address “False Pretenses”?

Evaluate Third-Party Solutions to Enhance Your Controls – Are your controls manual? Have you engaged with technology partners to understand the roadmap developments necessary for compliance with the new Rules? Are you considering additional value-added services to enhance your processes? 
Complying with the new Rules is more than just reading them and checking a box. It requires stakeholder engagement, process updates, and technology considerations. 

The Nacha Consulting Team is Here to Assist

Are you still feeling unsure about where to start? Nacha Consulting has a proven track record of working with numerous clients, guiding them to ensure operational readiness, comply with Nacha Rules, establish robust risk management frameworks, and align with industry best practices. 

Click here to set up a free 15-minute consultation and learn more about how Nacha Consulting can help guide your organization to meet your Nacha Rules requirements through well-managed risk-based processes.