If the phrase “proof of audit” sends shivers down your spine, now’s the time to get your house in order, because Nacha is on the verge of ramping up enforcement. 

Currently, 125 financial institutions and 125 Third-Party Senders (through their FIs) are randomly picked each quarter to show Nacha proof that they’ve had an ACH audit in compliance with the Nacha Operating Rules. But starting in the third quarter of 2025, that old manual system goes away—and a lot more requests will go out.

“It’s going to be more like 700 FIs and 400 Third-Party Senders each quarter,” said Lorie Nash, AAP, APRP, Nacha Senior Director, Compliance. “What we’re trying to do is reach every FI and every Third-Party Sender in a three-year period.” 

What’s going to make all this possible? Automation.

“We are going to have these requests come out of the Risk Management Portal,” said Nash. “It’ll still come by email, but instead of that email coming from me, it’ll come from the Portal. The email will include a link back to the Portal where the FIs can complete an attestation that either they’ve done the audit and when they completed it, or they did not do their audit.”

For its Third-Party Senders, an FI will get one email per quarter, but it could contain proof of audit requests for as many as 10 Third-Party Senders. The FI will need to enter an attestation in the Portal for each Third-Party Sender. 

In addition to the attestations, Nacha will be incorporating a manual evaluation of audit completion. This will involve Nacha reaching out to a small number of randomly selected FIs to request that they provide proof of the audit completion. Acceptable forms of proof include an audit summary, audit certificate, or audit cover letter. If selected for this additional review, FI administrators will receive a separate communication from Nacha.

Unlike the current emails, which come from Nash, the new emails generated by the Portal will have a “do not reply” return address from Nacha.org, which is already used on some other communications. FIs should be sure it’s white-listed and not sent to spam. Additionally, the emails will go to a much broader audience. Each administrator listed in the portal for a particular FI will receive it, to increase the likelihood that it is read. 

“It’s always best practice to keep your Portal administrators up to date, and with this change just around the corner, it’s an excellent time to go in and review who’s listed as an administrator for your bank or credit union,” said Nash. “Make sure you don’t have administrators who left, or were promoted, and be sure to add their replacements. As a reminder, financial institutions may have up to six administrators.”

Anyone with questions about a proof of audit request will find a new form in the Portal to submit questions to Nacha. 

Nash said that completing attestations is simple. “Just log into the Portal, click ‘yes,’ and put in a date.” Unless, of course, you can’t click “yes,” in which case you’re risking a Class 2 Violation for failure to have an ACH audit, which carries a fine to be determined by the ACH Rules Enforcement Panel. “The fine,” said Nash, “is often more expensive than having the audit done.” 

But Nash stressed that the goal is not to collect fines. In fact, Nacha would much prefer to see compliance.

“When the Nacha Rules are followed, and items such as audits are complied with, it improves the quality, safety and soundness of the ACH Network for all participants,” said Nash. 

Authorized users may log in to Nacha’s Risk Management Portal.