NACHA 2026 Rule Changes: What ACH Participants Actually Need to Do

The NACHA 2026 rule changes are the most significant update to ACH operating rules in years, and they’re generating more confusion than clarity. Institutions are either treating them as a mandate for real-time detection infrastructure or quietly hoping enforcement won’t materialize. Both approaches will cost them.

‍

This piece covers what the 2026 ACH amendments actually require, who they apply to and when, and what’s explicitly not mandated, so compliance teams can build a proportionate program instead of an overbuilt one.

‍

What’s Actually New in the NACHA 2026 Rule Changes

For most of ACH’s history, fraud meant unauthorized transactions: someone accessed an account without permission and moved money. If a victim was deceived into authorizing a payment: a vendor impersonation scheme, a payroll redirect, a business email compromise, that was legally “authorized” and largely outside the ACH fraud framework.

‍

The 2026 amendments close that gap. For the first time, both originating and receiving institutions are required to monitor ACH transactions for fraud, including transactions “authorized under false pretenses,” payments the customer genuinely approved, but only because they were deceived. Authorized push payment fraud, BEC, and payroll redirection are now explicitly in scope.

‍

Two new ACH entry descriptions also go live for all participants regardless of volume: PAYROLL and PURCHASE. These give institutions better categorization signal for transaction monitoring going forward.

‍

Who Needs to Comply and When

The ACH rule amendments phase in by transaction volume:

• ODFIs and TPSs originating 6 million or more ACH transactions annually → March 20, 2026
• RDFIs receiving 10 million or more ACH credits annually → March 20, 2026
• All remaining non-consumer originators and RDFIs → June 22, 2026

The PAYROLL and PURCHASE entry descriptions apply to all participants regardless of volume. If you haven’t confirmed which threshold applies, that determination should come first.

‍

What “Risk-Based” Actually Means

The phrase that runs through the 2026 ACH fraud rules is “risk-based fraud monitoring procedures.” Institutions tend to misread this in one of two directions.

‍

It doesn’t mean uniform controls across the industry. A community bank originating 400,000 WEB debits a year isn’t expected to run the same program as a large payments processor. Controls need to be proportionate to your transaction volume, customer base, product set, and fraud exposure.

‍

What it does mean: your institution must have defined its risks, built procedures that address them, and documented that work. “We monitor transactions” is not a fraud monitoring program. “We apply risk-based rules to outbound WEB debits that flag payroll redirection indicators and high-velocity origination, with documented escalation procedures reviewed annually” is.

‍

“Risk-based” gives you flexibility in what controls you use. It doesn’t give you flexibility in whether you have them.

‍

What the 2026 ACH Fraud Rules Don’t Require

Real-time screening of every transaction is not required. The 2026 amendments do not mandate that every ACH entry be evaluated at the moment of submission. Controls must be reasonably designed to detect fraud, and batch-based monitoring, post-posting review, and entity-level behavioral analysis can all satisfy that standard depending on the institution’s risk profile.

‍

There is also no technology mandate. NACHA does not require machine learning models, device intelligence, behavioral biometrics, or any specific detection method. What’s required is that the approach is documented, defensible, and reviewed at least annually.

‍

Understanding this matters when evaluating vendor claims and building the internal business case for compliance investment.

‍

What the Rules Do Require

In practical terms, the 2026 ACH rule changes require three things:

Written procedures specific to your role. ODFI obligations differ from RDFI obligations, and both differ from TPS and TPSP obligations. Generic templates are a starting point, not a final product. Procedures need to reflect your institution’s actual risk environment.

‍

An annual review cycle. Fraud monitoring procedures must be reviewed and updated at least once a year. This must produce documented evidence of what was reviewed, what changed, and why, not a rubber stamp.

‍

Coverage of the newly in-scope typologies. Monitoring must address transactions authorized under false pretenses. If your existing fraud program focuses exclusively on ATO and unauthorized debits, it has a gap that the 2026 rules explicitly target.

‍

What Comes Next

Understanding what the NACHA 2026 rule changes require is step one. The harder work is building the detection logic, investigation workflow, and documentation infrastructure to deliver on it.

‍

The rest of this series covers each stage in depth: how to build ACH fraud detection for the typologies now in scope, how to run investigations from first alert through SAR filing, and how to build a program that holds up under examiner scrutiny.

‍

For the entity-specific breakdown: what RDFIs, ODFIs, TPSs, and TPSPs each need to do, see the NACHA 2026 overview.

‍

For answers to specific questions about how the rule changes apply to your institution, including how to interpret the compliance timelines, what qualifies as a covered transaction, and how obligations differ by entity type, the 2026 NACHA Operating Rules FAQ covers the questions compliance and fraud teams are asking most.

‍