Nacha released a new ACH Risk Management Framework for the Era of Credit-Push Fraud in 2022 and has been working tirelessly to bring awareness to credit-push fraud schemes and to find solutions ever since. Fraudsters are crafty and intentionally use schemes designed to foil the victims and every participant in the chain of an ACH transaction from origination to receipt. Financial institutions play a key role in detecting and preventing fraud, but they can’t do it alone.  

The Risk Management Framework recognizes all participants have a role to play in detecting, preventing, and recovering from frauds that utilize ACH and other credits. New Nacha Rule amendments become effective in 2026 requiring processes and procedures that are reasonably intended to identify entries that are suspected of being unauthorized or authorized under false pretenses. These fraud monitoring amendments affect Receiving Depository Financial Institutions (RDFIs), Originating Depository Financial Institutions (ODFIs), non-consumer Originators, Third-Party Senders (TPSs), and Third-Party Service providers (TPSPs).  

Nacha and its Risk Management Advisory Group (RMAG) have previously published best practices and asked Originators to help protect themselves and their customers from fraudsters, but this is the first time Originators are required to implement fraud monitoring and detection under the Rules. The controls, processes, and procedures used should be risk based and scaled for the size and operational complexities of the organization. Originator controls can be developed internally, provided by an Originator’s financial institution, or created by third-party solution providers. Many of these controls can be used in concert to provide layered security. 

• Dual Controls – Dual control requires more than one individual to initiate a payment. One individual may authorize the creation of an ACH entry with another confirming the entry and releasing it to the financial institution. A fraudster may be able to get past one individual, but will have difficulty tricking two. Dual control is often offered by financial institutions to their corporate customers, and it may even be required. 

• Account Validation – Account validation tools are used to assess new accounts and changes on existing accounts. These tools can be used to confirm that, at a minimum, an account with that account number is open at the RDFI. Other account ownership verification tools may go beyond simple account validation and into Know Your Customer (KYC) identification. These tools provide much richer data about the account owner, including details such as the name, address, balance of the account, and even the IP address associated with the location of the account owner. These services are regularly offered by third parties.  

• Multi-factor Authentication - – Multi-factor authentication is considered more robust than password-only authentication. A second factor in addition to the password can be a second credential, operator intervention, or a biometric input. A fraudster can use social engineering to steal a username and password but cannot obtain the second factor required to access the system. A physical token or biometric solution is preferred to a solution using a code via text or email because fraudsters have developed tools to intercept the content of these channels.  

• Out-of-Band Authentication – Authenticate payment requests or changes to payment instructions by independently verifying the request/change using a method other than the method used by the original request. For example, if a vendor calls to request a change to their routing and account information for future payments, use contact information contained within your organization’s internal database to contact the vendor via phone or email.  

• Routine and Red Flag Reporting – Review and reconcile accounts daily. Generate regular reports that identify transactions to new relationships, transactions of existing customers to new accounts, or abnormal activity. Verify that these transactions were intentional.  

• Review User Rights – Review user rights to online banking systems regularly and promptly remove access for terminated or transferred employees who no longer require access.  

• Secure Systems and Applications – Ensure maintenance of firewalls and make sure antivirus software is up to date. Ensure all system components and software have the latest vendor-supplied security patches installed.  

Credit-push fraud schemes rely on social engineering to trick victims into sending the fraudster money. Social engineering fraud isn’t complex; controls can be simple, but they must be utilized to be effective. Financial institutions should encourage their Originators to utilize services offered by their organization and to seek other tools to ensure payments are originated only by their employes for verified and authorized purposes.