Fraud Monitoring by Originators, TPSPs and ODFIs
(Effective date - Phase 1: March 20, 2026 for all ODFIs and non-Consumer Originators, TPSPs, and TPSs with annual ACH origination volume of 6 million or greater in 2023.)

This rule amendment will require all ODFI, and each non-Consumer Originator, Third-Party Service Provider, and Third-Party Sender with annual ACH origination volume in 2023 of 6 million or greater, to establish and implement risk-based processes and procedures reasonably intended to identify ACH Entries initiated due to fraud.

• The amendment is intended to reduce the incidence of successful fraud attempts.
• Regular fraud detection monitoring can establish baselines of typical activity, making atypical activity easier to identify.

The Nacha Rules currently require Originators to use a commercially reasonable fraudulent transaction detection system to screen WEB debits and when using Micro-Entries.

• These rules are intended to reduce the incidence of unauthorized debits resulting from transactions initiated online, which can experience increased volume and velocity.

These current requirements do not encompass any other transaction types, and so do not currently apply to other types of debits or to any credits other than Micro-Entries.

• However, the existing Nacha Board policy statement “urges that all participants implement adequate control systems to detect and prevent fraud.”

Several changes were made from the original proposal that was issued in a Request for Comment in May 2023.

• Eliminates use of “commercially reasonable” as a standard.
• Replaces “detection system” with “processes and procedures.”
• Provides a next level description of requirements – i.e., “reasonably intended to identify…”
• Provides that the requirements apply “to the extent relevant to the role the entity plays.”
• Allows an ODFI to expressly consider steps that other participants in origination are taking to monitor for fraud in designing its own processes and procedures.
• Clarifies that monitoring is not required pre-processing.
• Requires a review of processes and procedures “at least annually.”

RDFI ACH Credit Monitoring
(Effective date - Phase 1: March 20, 2026 for RDFIs with annual ACH receipt volume of 10 million or greater in 2023.)

The proposal will require RDFIs with annual ACH receipt volume of 10 million or greater in 2023 to establish and implement risk-based processes and procedures designed to identify credit Entries initiated due to fraud.

• RDFIs have a view of incoming transactions as well as account profile information and historic activity on Receivers’ accounts. 
• A risk-based approach to monitoring can consider factors such as transactional velocity, anomalies (e.g., SEC Code mismatch with account type), and account characteristics (e.g., age of account, average balance, etc.). This aligns with AML monitoring practices in place today. 
• Based on its monitoring of incoming credits, an RDFI may decide to return an entry or contact the ODFI to determine the validity of a transaction.

This rule is intended to reduce the incidence of successful fraud and better enable the recovery of funds when fraud has occurred.

• The rule aligns with an institution’s regulatory obligation to monitor for suspicious transactions.
• The rule does not require pre-posting monitoring of credit entries.

ACH transaction monitoring may be happening currently within RDFIs.  This amendment encourages the necessary communication between compliance monitoring, operations, product management, and relationship staff. Solutions may be developed in-house. Vendor solutions have emerged on the market to assist in monitoring received payment activity.

Similar to Third-Party Senders, any entity that performs a function of an RDFI in delivering transactions to a Receiver should implement monitoring and detection controls based on the functions performed.

Several changes were made from the original proposal that was issued in a Request for Comment in May 2023.

• Eliminates use of “commercially reasonable” as a standard.
• Replaces “detection system” with “processes and procedures.”
  • A risk-based approach to fraud monitoring enables RDFIs to apply resources based on risk assessment for various types of transactions.
• Provides a next level description of requirements – i.e., “reasonably intended to identify…”
• Clarifies that monitoring is not required pre-processing.
• Requires a review of processes and procedures “at least annually.”

False Pretenses

These new Rules also include references to a newly defined term, False Pretenses:

• the inducement of a payment by a Person misrepresenting (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.”

This definition covers common fraud scenarios such as Business Email Compromise (BEC), vendor impersonation, payroll impersonation, and other payee impersonations, and complements language on “unauthorized credits” (account takeover scenario).  It does not cover scams involving fake, non-existent or poor-quality goods or services.