Keeping the ACH Network safe—and constantly working to strengthen that security—is always top of mind for Nacha. Today, March 20, 2026, marks a milestone in those efforts as a major phase of new Nacha Rules on risk management and transaction monitoring is now in effect, with the next phase right behind in June. 

It’s been three and a half years since Nacha released its “Risk Management Framework for the Era of Credit-Push Fraud.” Before that, the focus had been on unauthorized debits pulling money from accounts. But the Framework noted that had changed, with “the most significant fraud threats to bank account holders” now involving “fraud and scams that result in money being sent out of their accounts using credit payments, including ACH credits, wires, cards, and other instant and digital payments.”

Once these updated Rules are fully implemented later this year, everyone using the ACH Network (except consumers) will be contributing to risk management through risk‑based processes and procedures reasonably intended to identify fraudulent ACH activity.

“What’s particularly noteworthy is that for the first time, RDFIs have a role to play, alongside ODFIs, Originators and third parties,” said Devon Marsh, Nacha Managing Director, ACH Network Rules and Risk Management. “Because of the way credit-push frauds work, financial institutions on both sides of a payment need to be part of the monitoring solution.”

Today marks the start of Phase 1 for fraud monitoring, impacting all ODFIs, regardless of size. It also applies to any non-Consumer Originator, Third-Party Service Provider, and Third-Party Sender whose 2023 annual ACH origination volume was 6 million or greater. They should have established and implemented risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud. In Phase 2, coming in June, the requirement will apply regardless of origination volume.

RDFIs must establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud. Today, it applies to RDFIs with annual 2023 ACH receipt volume of 10 million or greater; in June, it applies to all RDFIs.

“Not only do RDFIs see incoming payments, they also know the profiles of their accountholders. This puts them in a unique position to identify certain unusual activities,” said Marsh. “RDFIs can help address a fraudulent transaction by either returning an entry or checking on its validity with the ODFI.”

Whatever steps your organization has taken to implement these new Rules, Nacha cautioned not to just set it and forget it.

“Fraudsters are always looking for the next big thing, so you should periodically check your procedures and update them as necessary,” said Marsh. “This should be an evolving process, not a ‘one and done.’”

And if your organization has yet to comply with the Rules, it’s not too late. Nacha has many resources to help, including our Credit-Push Fraud Monitoring Resource Center, which includes guidance from Nacha’s Risk Management Advisory Group (RMAG) and a list of third-party service vendors including Nacha Preferred Partners, Nacha Certified companies, and members of Nacha’s Payments Innovation Alliance. 

Nacha Consulting can also help, and they offer a complimentary 15-minute consultation.