In September 2022, Nacha released a Risk Management Framework to address fraud across the ACH Network. Building on that work, Nacha, in collaboration with industry participants, introduced new rules in March 2024, aimed at reducing fraud, and assigning updated responsibilities to financial institutions, third parties, and organizations that send ACH payments over the ACH Network. The most impacted internal groups may include accounting and finance groups. However, there may be other groups or individuals that should be included during the planning process (legal, compliance, fraud, cybersecurity, or others). 

The new rule states that all corporate end users that send ACH payments must have “risk-based processes and procedures” in place to identify potential fraudulent transactions. This new responsibility applies to businesses, corporations, nonprofits, and third parties that may submit ACH files on the organization's behalf. The new rule does not have a detailed definition for “risk-based processes and procedures,” providing the opportunity to tailor this requirement in a way that works best for your organization. 

Processes and procedures may mean a documented plan that outlines the steps to take if your organization receives a request to update payment information or send a fraudulent payment into the ACH Network. Listed below are implementation deadlines, considerations, and discussion topics that may be top of mind as your organization moves forward in preparation for the implementation date.   

Implementation Dates:

• March 20, 2026: Implementation deadline for corporate end users that send 6 million ACH transactions or more annually.
• June 20, 2026: Implementation deadline for all corporate end users that send any ACH transactions annually.  

Considerations when planning - Potential discussion topics:

• Who within your organization would be part of the conversation if a fraudulent payment is sent (accounting or finance teams, fraud team, and others)?
• Are there policies or processes currently in place to address what should be done if a fraudulent payment is sent?
• Consider the type of ACH payments that are sent. For example: If the accounting team is sending ACH debits to collect payments, this is considered ACH origination and should be included in the development of the risk-based processes and procedures.
• An action plan that addresses detection, prevention, and recovery of transactions that were not prevented. This plan should include a process to detect similar transactions in the future.
• Budget considerations: potential upgrades to current software; additional product purchases from financial institution or third party.

External discussions - Potential discussion topics during external conversations with financial institutions or third parties:

• Identify the financial institution's or third parties' contact that would assist in the event a fraudulent payment is sent.
• Seek out information the financial institution can provide related to the fraudulent payment.
• Identify product offerings that can assist with monitoring (possible budget consideration).  

External discussions - Why does compliance with the new rule matter?

• Nacha is the governing body for the ACH Network. Each ACH participant is required to follow all Nacha Rules that are relevant to their role in the ACH Network.  
• Noncompliance  could lead to compliance fines, fraud losses, reputational risk, and other repercussions.
• Action Item: Review existing internal processes and identify responsible colleagues. Consult your financial institution for guidance on the rule and related inquiries.

Terms to know: 

• Corporate End Users: Corporations, businesses, nonprofits, and state and local government agencies that utilize the ACH Network to send or receive payments.  
• Financial Institution: The bank, bankers’ bank, community bank, credit union, or corporate credit union, that a corporate end user utilizes for monetary transmission such as ACH transactions, wire transfers, check image, and instant rail payments.
• Nacha: The national ACH association that develops rules and governs the ACH Network.
• Third Parties: A processing firm, accounting firm, or other partner that submits ACH files to a financial institution on an organization's behalf.

Questions? Please reply to: [email protected].