How to Build an ACH Fraud Monitoring Program That Passes a NACHA Exam

Building an ACH fraud monitoring program that satisfies the NACHA 2026 requirements isn’t just about detection controls. Most institutions that run into trouble in exams have monitoring in place, they just haven’t documented it, structured it into a reviewable program, or built the annual update cycle the rules explicitly require.

‍

This piece covers the program layer: what to document, how to conduct a substantive annual review, and what examiners actually evaluate when they assess your NACHA compliance posture.

‍

Controls vs. Program: Why the Distinction Matters

There’s an important gap between having fraud controls and having a fraud program. Controls are the rules, the alert thresholds, the case management workflow. A program is the documented framework that ties all of those together: written policies, defined procedures, clear ownership, and a repeatable review cycle.

‍

NACHA 2026 explicitly requires the latter. Written procedures, a risk-based approach calibrated to your institution, and annual review aren’t optional elements, they’re the baseline. Institutions that have controls but haven’t built the program layer around them are technically non-compliant regardless of how good their detection is.

‍

What an ACH Fraud Monitoring Program Must Document

Documentation for NACHA compliance falls into five categories, each of which an examiner may ask to review:

‍

Written Fraud Monitoring Procedures

Procedures need to be specific to your institution’s role. ODFI procedures differ from RDFI procedures; TPS obligations differ from TPSP obligations. Generic industry templates are a starting point, not a finished product. Your written procedures should reflect your actual transaction volume, customer base, product set, and identified fraud exposures.

‍

The test isn’t whether a procedure document exists; it’s whether the document accurately describes what your institution actually does.

‍

Risk Assessment

How did your institution identify its fraud risks? Why do your current controls address them? The risk assessment is the foundation that makes the rest of the program defensible. An examiner who asks “why did you build your ACH monitoring this way?” should get an answer that traces back to documented risk identification, not institutional habit.

‍

Rule Documentation

For each detection rule in your monitoring program: what does it do, what fraud typology does it target, what logic and thresholds were used, and when was it last reviewed? Rules that exist without documented rationale can’t be defended. Under NACHA 2026, rules must also demonstrably cover the newly in-scope typologies: BEC, payroll redirection, authorized push payment fraud, mule account activity.

‍

Triage and Case Management Standards

How do alerts get reviewed? What criteria trigger escalation to a full investigation? What’s the expected turnaround time for different alert types? These standards should be written down, not reliant on tribal knowledge. A program that depends on individual judgment for every triage decision produces inconsistent outcomes and creates exam risk when staff turns over.

‍

SAR Decision Criteria

What triggers a SAR filing obligation? What triggers a voluntary filing? What documentation is required when your institution decides not to file? The decision matrix should be explicit. Case-by-case judgment without documented criteria produces inconsistency, the exact thing examiners are looking for when they review your SAR filing patterns.

‍

The Annual Review: What It Actually Requires

The annual review obligation is explicit in the NACHA 2026 rules, and it’s one of the most commonly underdone elements of ACH fraud compliance programs across the industry. Institutions either skip the review, perform a superficial version, or do genuine work and fail to document it. All three produce the same result: no evidence that the program is actively maintained.

‍

A substantive annual review covers:

• Fraud loss experience and pattern shifts over the past year
• Alert volume, false positive rates, and case conversion rates by rule
• Emerging fraud typologies and changes in the threat environment
• Rule and threshold updates based on findings
• Assessment of whether the risk-based approach still fits the current risk profile

The review must produce a document: a memo, a committee report, or a board-level presentation that proves it happened. The documentation is as important as the review itself. “We reviewed our program” without a written record of what was reviewed, what changed, and why is an exam finding waiting to happen.

‍

What Examiners Actually Test For

When examiners evaluate an ACH fraud compliance program under the 2026 rules, they’re working through a consistent set of questions:

‍

Can you explain your program?

Not just produce documents on request, but articulate the logic. Why these rules? Why these thresholds? Institutions that can walk an examiner through their monitoring program coherently, connecting controls to identified risks and documented decisions, are in a fundamentally different position than institutions that hand over a policy binder and hope for the best.

‍

Is your monitoring proportionate to your risk?

The risk-based standard gives institutions flexibility, but it also means examiners will evaluate whether controls are appropriate for your specific risk profile. A community bank with conservative origination volume and a stable customer base should run a different program than a high-volume payments processor. Generic programs not calibrated to the institution’s actual risk profile raise questions regardless of what the documentation says.

‍

Does your written program match your actual operations?

The gap test is straightforward: take your written procedures and trace them against what your operations team actually does. Gaps between documented and actual practice are exam findings. This is why compliance-authored procedures that have never been reviewed by operations teams are so dangerous, they describe a program that doesn’t exist in practice.

‍

Can you demonstrate the annual review?

Evidence of a genuine annual review, actual analysis, documented findings, rule changes with rationale, is increasingly what separates mature ACH fraud programs from compliance paperwork. “We reviewed our procedures” without a document trail is not sufficient.

‍

Program Ownership and Cross-Team Coordination

An ACH fraud monitoring program needs a clear owner: a fraud operations manager or BSA/compliance officer with the authority to make decisions about rules, procedures, and escalation standards. Shared ownership across multiple teams with no designated lead produces programs that don’t get maintained.

‍

Cross-team coordination is unavoidable: fraud operations, payment operations, compliance, and customer service all touch different parts of the program. The handoffs between these teams, on SAR decisions, return code strategy, customer contact protocols, need to be documented, not reliant on informal relationships. The NACHA 2026 rules require consistent procedures. Consistency is harder to achieve without explicit handoff documentation.

‍

Using Case Data to Keep Your Program Current

The best input to your annual review is your own operational data. Alert volumes by rule. False positive rates by entity type and transaction category. Fraud loss trends by SEC code and typology. SAR filing rates and closure reasons. Institutions that mine their case data systematically produce reviews that are both more defensible and more useful.

‍

Fraud patterns shift. Rules calibrated to last year’s threat environment need to evolve. The annual review is the forcing function that makes that evolution happen on a documented, regular schedule rather than reactively, after a loss event or an exam finding.

‍

Closing the Series

The NACHA 2026 rules ask institutions to do something historically optional: build and maintain a real ACH fraud program, not just respond to individual fraud events. Detection capabilities, investigation workflows, and program documentation all need to work together.

‍

The four pieces in this series cover the full arc: what the 2026 ACH rule changes actually require, how to build detection for the fraud typologies now in scope, how to run investigations from alert to SAR, and how to build the program layer that makes all of it defensible.

‍

The entity-specific breakdown: what RDFIs, ODFIs, TPSs, and TPSPs each need to do, is at the NACHA 2026 overview.

‍

For a practical FAQ on the 2026 ACH rule changes, covering compliance timelines, entity-specific requirements, data sharing obligations, and technology mandates, the 2026 NACHA Operating Rules FAQ answers the questions compliance program owners are most frequently asking as the deadlines approach.

‍