March 18, 2024

New Nacha Rules Take Aim at Credit-Push Fraud

ACH Network Logo with background

HERNDON, Virginia, March 18, 2024 – Nacha members have approved a set of rules intended to reduce the incidence of frauds, such as business email compromise (BEC), that make use of credit-push payments. The new rules establish a base-level of ACH payment monitoring on all parties in the ACH Network (except consumers). While the new rules do not shift the liability for ACH payments, for the first time receiving financial institutions (RDFIs) will have a defined role in monitoring the ACH payments they receive.

“All participants in the ACH Network have a part to play in reducing the incidence of fraud, and recovering when fraud has occurred,” said Jane Larimer, Nacha President and CEO. “I applaud Nacha’s members for taking this important step of self-governance.”

BEC, vendor impersonation and payroll impersonation are some examples of frauds that result in payments being “pushed” from a payer’s account to the account of a fraudster. The FBI’s Internet Crime Complaint Center’s 2023 annual report found there were 21,489 BEC complaints in 2023 totaling $2.9 billion in reported losses, making it the second-costliest type of cyber-crime.  According to the Association of Financial Professionals, “Business Email Compromise (BEC) scams are still highly prevalent and are the root cause of payments fraud at a majority of organizations.” 

The new rules follow the flow of a credit-push payment to promote the detection of fraud from the point of origination through the point of receipt at an account at the RDFI. When fraud is detected, the rules empower the originating financial institution (ODFI) to request the return of the payment for any reason; the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely; and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim. An additional rule facilitates transaction monitoring by RDFIs by applying a standard transaction description for ACH credits used for payroll payments.

The impetus for the newly approved Rules came in late 2022 when Nacha released its strategy “Risk Management Framework for the Era of Credit-Push Fraud.” The strategy expanded the focus of fraud detection and prevention to include frauds that use credit-push payments, including ACH credits. While the new rules apply to ACH payments, their principles and techniques are more broadly applicable to all types of credit-push payments.